Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1578628
MD5:8c724813b4468960543fcbcb4635f74f
SHA1:23693d84c1441a3edc77686c5a613f747ccff8a6
SHA256:4cc2d946c5c43426f509193cb5bee665f59f46c795c4da045d3b5940d660e6d4
Tags:exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Monitors registry run keys for changes
Overwrites Mozilla Firefox settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2260 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8C724813B4468960543FCBCB4635F74F)
    • skotes.exe (PID: 2676 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 8C724813B4468960543FCBCB4635F74F)
  • skotes.exe (PID: 4952 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 8C724813B4468960543FCBCB4635F74F)
  • skotes.exe (PID: 4396 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 8C724813B4468960543FCBCB4635F74F)
    • a2236cc5aa.exe (PID: 7084 cmdline: "C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe" MD5: AFD936E441BF5CBDB858E96833CC6ED3)
      • conhost.exe (PID: 2412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • a2236cc5aa.exe (PID: 5256 cmdline: "C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe" MD5: AFD936E441BF5CBDB858E96833CC6ED3)
    • e565baa4b6.exe (PID: 2608 cmdline: "C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe" MD5: 25FB9C54265BBACC7A055174479F0B70)
    • 3494904393.exe (PID: 6148 cmdline: "C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe" MD5: 04F57C6FB2B2CD8DCC4B38E4A93D4366)
      • conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5024 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6764 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • 63506cf0a7384158900a9c4410789dbd.exe (PID: 2616 cmdline: "C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe" MD5: CC36E2A5A3C64941A79C31CA320E9797)
        • chrome.exe (PID: 8112 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • chrome.exe (PID: 7552 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2244,i,11399492537237456067,12274902701966245916,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
        • chrome.exe (PID: 9116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • chrome.exe (PID: 7412 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 --field-trial-handle=2228,i,13984323130618621561,12790505923431820552,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
        • chrome.exe (PID: 1968 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • chrome.exe (PID: 8128 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2644 --field-trial-handle=2268,i,11916466110525037174,8440217537469921044,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • 128703c003.exe (PID: 2584 cmdline: "C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe" MD5: 3647AF905F92B479113300608444F101)
    • 8a13e339a3.exe (PID: 3184 cmdline: "C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe" MD5: 2854309DFD78A64E325E67004B94ADDF)
      • chrome.exe (PID: 3948 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
        • chrome.exe (PID: 7000 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 --field-trial-handle=2108,i,8456486069817355234,11844497876439490650,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • msedge.exe (PID: 4672 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 69222B8101B0601CC6663F8381E7E00F)
    • 7ccdd68f3b.exe (PID: 3848 cmdline: "C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe" MD5: 134E8ED7546996583F248F49C87D99A2)
      • taskkill.exe (PID: 6824 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 4304 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 7000 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 5940 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 1120 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • firefox.exe (PID: 3716 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • 2fc1eb1411.exe (PID: 7848 cmdline: "C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe" MD5: 27D1C23073BBF3BE2092A18AB4CF9818)
    • ebfedd813b.exe (PID: 7380 cmdline: "C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe" MD5: EF08A45833A7D881C90DED1952F96CB4)
  • svchost.exe (PID: 348 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • 128703c003.exe (PID: 4088 cmdline: "C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe" MD5: 3647AF905F92B479113300608444F101)
  • 128703c003.exe (PID: 5888 cmdline: "C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe" MD5: 3647AF905F92B479113300608444F101)
  • firefox.exe (PID: 2072 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • firefox.exe (PID: 2792 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 7784 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3116d80-26e5-4678-b47c-6e372794e0eb} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 2800d16fd10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 8716 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -parentBuildID 20230927232528 -prefsHandle 4300 -prefMapHandle 4304 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {822619a6-5657-47d3-80bf-2521004ff1f0} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 28020772b10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • 8a13e339a3.exe (PID: 8356 cmdline: "C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe" MD5: 2854309DFD78A64E325E67004B94ADDF)
  • 7ccdd68f3b.exe (PID: 9108 cmdline: "C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe" MD5: 134E8ED7546996583F248F49C87D99A2)
    • taskkill.exe (PID: 4140 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • 2fc1eb1411.exe (PID: 8280 cmdline: "C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe" MD5: 27D1C23073BBF3BE2092A18AB4CF9818)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["energyaffai.lat", "discokeyus.lat", "necklacebudi.lat", "sustainskelet.lat", "crosshuaht.lat", "aspecteirs.lat", "rapeflowwj.lat", "pancakedipyps.click", "grannyejh.lat"], "Build id": "nheapcorruption--"}

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              00000030.00000003.3288737853.0000000004830000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
                00000017.00000003.3258078775.000000000169B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                    00000003.00000003.2200230498.00000000050A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                      Click to see the 33 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      19.0.63506cf0a7384158900a9c4410789dbd.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                        3.2.skotes.exe.190000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                          0.2.file.exe.e10000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                            2.2.skotes.exe.190000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: New RUN Key Pointing to Suspicious Folder
                              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 4396, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\128703c003.exe
                              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl", CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe, ParentProcessId: 6148, ParentProcessName: 3494904393.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl", ProcessId: 5024, ProcessName: powershell.exe
                              Sigma detected: Browser Started with Remote Debugging
                              Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe, ParentProcessId: 3184, ParentProcessName: 8a13e339a3.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 3948, ProcessName: chrome.exe
                              Sigma detected: CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 4396, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\128703c003.exe
                              Sigma detected: Powershell Defender Exclusion
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl", CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe, ParentProcessId: 6148, ParentProcessName: 3494904393.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl", ProcessId: 5024, ProcessName: powershell.exe
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl", CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe, ParentProcessId: 6148, ParentProcessName: 3494904393.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl", ProcessId: 5024, ProcessName: powershell.exe
                              Sigma detected: Windows Processes Suspicious Parent Directory
                              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 348, ProcessName: svchost.exe

                              Suricata Signatures

                              No Suricata rule has matched

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: file.exeAvira: detected
                              Antivirus detection for dropped file
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exeAvira: detection malicious, Label: HEUR/AGEN.1320706
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                              Found malware configuration
                              Source: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                              Source: 0000000B.00000002.3062210997.0000000003890000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}
                              Source: a2236cc5aa.exe.7084.7.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "discokeyus.lat", "necklacebudi.lat", "sustainskelet.lat", "crosshuaht.lat", "aspecteirs.lat", "rapeflowwj.lat", "pancakedipyps.click", "grannyejh.lat"], "Build id": "nheapcorruption--"}
                              Multi AV Scanner detection for dropped file
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exeReversingLabs: Detection: 18%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exeReversingLabs: Detection: 54%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exeReversingLabs: Detection: 66%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exeReversingLabs: Detection: 75%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exeReversingLabs: Detection: 54%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exeReversingLabs: Detection: 80%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[4].exeReversingLabs: Detection: 87%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[5].exeReversingLabs: Detection: 27%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exeReversingLabs: Detection: 68%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[3].exeReversingLabs: Detection: 66%
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeReversingLabs: Detection: 68%
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeReversingLabs: Detection: 75%
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeReversingLabs: Detection: 18%
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeReversingLabs: Detection: 66%
                              Source: C:\Users\user\AppData\Local\Temp\1017985001\1e467b8b46.exeReversingLabs: Detection: 80%
                              Source: C:\Users\user\AppData\Local\Temp\1017987001\7bbff7a3a2.exeReversingLabs: Detection: 54%
                              Source: C:\Users\user\AppData\Local\Temp\1017988001\2dc416cfa5.exeReversingLabs: Detection: 87%
                              Source: C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exeReversingLabs: Detection: 54%
                              Source: C:\Users\user\AppData\Local\Temp\1017992001\e7bd366d99.exeReversingLabs: Detection: 66%
                              Source: C:\Users\user\AppData\Local\Temp\1017993001\718f24a5dc.exeReversingLabs: Detection: 27%
                              Source: C:\Users\user\AppData\Local\Temp\1017994001\98679d2b4b.exeReversingLabs: Detection: 18%
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeReversingLabs: Detection: 50%
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeReversingLabs: Detection: 47%
                              Multi AV Scanner detection for submitted file
                              Source: file.exeReversingLabs: Detection: 50%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.6% probability
                              Machine Learning detection for dropped file
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exeJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: file.exeJoe Sandbox ML: detected
                              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdb source: 3494904393.exe, 0000000B.00000002.3062210997.0000000003890000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3062210997.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000000.3044420282.0000018167332000.00000002.00000001.01000000.00000011.sdmp
                              Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdbSHA256\u source: 3494904393.exe, 0000000B.00000002.3062210997.0000000003890000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3062210997.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000000.3044420282.0000018167332000.00000002.00000001.01000000.00000011.sdmp
                              Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: 3494904393.exe, 0000000B.00000000.2867570973.0000000000532000.00000002.00000001.01000000.0000000B.sdmp
                              Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: 3494904393.exe, 0000000B.00000000.2867570973.0000000000532000.00000002.00000001.01000000.0000000B.sdmp
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: number of queries: 2002
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: number of queries: 1001
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: number of queries: 1001
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DC36A9 FindFirstFileExW,7_2_00DC36A9
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DC375A FindFirstFileExW,FindNextFileW,FindClose,FindClose,7_2_00DC375A
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                              Source: chrome.exeMemory has grown: Private usage: 1MB later: 30MB
                              Source: firefox.exeMemory has grown: Private usage: 1MB later: 192MB

                              Networking

                              barindex
                              C2 URLs / IPs found in malware configuration
                              Source: Malware configuration extractorURLs: energyaffai.lat
                              Source: Malware configuration extractorURLs: discokeyus.lat
                              Source: Malware configuration extractorURLs: necklacebudi.lat
                              Source: Malware configuration extractorURLs: sustainskelet.lat
                              Source: Malware configuration extractorURLs: crosshuaht.lat
                              Source: Malware configuration extractorURLs: aspecteirs.lat
                              Source: Malware configuration extractorURLs: rapeflowwj.lat
                              Source: Malware configuration extractorURLs: pancakedipyps.click
                              Source: Malware configuration extractorURLs: grannyejh.lat
                              Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199809363512
                              Source: Malware configuration extractorIPs: 185.215.113.43
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe, type: DROPPED
                              Source: Joe Sandbox ViewIP Address: 185.215.113.43 185.215.113.43
                              Source: Joe Sandbox ViewIP Address: 116.203.12.114 116.203.12.114
                              Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                              Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1E0C0 recv,recv,recv,recv,0_2_00E1E0C0
                              Source: 128703c003.exe, 00000017.00000003.3666383879.0000000001702000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/
                              Source: 128703c003.exe, 00000017.00000003.3659903833.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3666383879.0000000001702000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/H
                              Source: 128703c003.exe, 00000017.00000003.3659903833.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3666383879.0000000001702000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/j
                              Source: 128703c003.exe, 00000017.00000003.3659903833.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3666383879.0000000001702000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/l
                              Source: 128703c003.exe, 00000017.00000003.3659903833.0000000001711000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3659903833.00000000016F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exe
                              Source: 128703c003.exe, 00000017.00000003.3659903833.00000000016F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/off/def.exevh
                              Source: 128703c003.exe, 00000017.00000003.3666383879.0000000001702000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.16/steam/random.exe
                              Source: 8a13e339a3.exe, 00000015.00000003.3429758365.0000000001381000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
                              Source: 8a13e339a3.exe, 00000015.00000003.3429758365.0000000001381000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllJ
                              Source: 8a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/7
                              Source: 8a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
                              Source: 8a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php)
                              Source: 8a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpM
                              Source: 8a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpa
                              Source: 8a13e339a3.exe, 00000015.00000003.3429013238.0000000001394000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phps
                              Source: 8a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/h
                              Source: a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                              Source: a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                              Source: 128703c003.exe, 00000012.00000003.3011066639.0000000000A13000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000012.00000003.3011534814.0000000000A57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                              Source: e565baa4b6.exe, 0000000A.00000003.3253053792.000000000085F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2913135607.0000000002D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2972792900.0000000007FD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                              Source: a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                              Source: a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                              Source: a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                              Source: a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                              Source: a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181002F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/StoreAppList.Light.png
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181002F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/StoreLogo.Light.png
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181004BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/Theme/Light.xaml
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181004BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/app.Light.ico
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181003E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://e12564.dspb.akamaiedge.net
                              Source: svchost.exe, 00000016.00000003.3061403026.0000019246380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181002F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Resources/StoreAppList.Light.png
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181002F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Resources/StoreLogo.Light.png
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181004BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Resources/app.Light.ico
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181004BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/resources/app.light.ico
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181002F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/resources/storeapplist.light.png
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181002F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/resources/storelogo.light.png
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3054106984.00000000028DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3054106984.00000000028DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.comd
                              Source: powershell.exe, 0000000D.00000002.2917207950.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2955040856.00000000055A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                              Source: a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                              Source: a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                              Source: powershell.exe, 00000010.00000002.2944804994.0000000004696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.000000000296F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.000000000296F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.comd
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810059E000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810026F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810059E000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810026F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810059E000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810026F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810026F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/StoreInstaller.Models
                              Source: powershell.exe, 0000000D.00000002.2914223441.0000000004B75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2944804994.0000000004696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.0000000002831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2914223441.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2944804994.0000000004541000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181003C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: powershell.exe, 0000000D.00000002.2914223441.0000000004B75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2944804994.0000000004696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                              Source: powershell.exe, 00000010.00000002.2944804994.0000000004696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135615248.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135498444.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3081412103.00000000007EB000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3078242620.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3186628408.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3111755973.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3068983043.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                              Source: 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810059E000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810026F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                              Source: a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                              Source: a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                              Source: a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                              Source: powershell.exe, 0000000D.00000002.2914223441.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2944804994.0000000004541000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                              Source: a2236cc5aa.exe, 00000009.00000003.2976264747.0000000003848000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3139904879.0000000005402000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3287089252.0000000005EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                              Source: e565baa4b6.exe, 0000000A.00000003.3139904879.0000000005402000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3287089252.0000000005EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                              Source: a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                              Source: a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                              Source: a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                              Source: e565baa4b6.exe, 0000000A.00000003.3139904879.0000000005402000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3287089252.0000000005EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                              Source: a2236cc5aa.exe, 00000009.00000003.2976264747.0000000003848000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3139904879.0000000005402000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3287089252.0000000005EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                              Source: powershell.exe, 00000010.00000002.2955040856.00000000055A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                              Source: powershell.exe, 00000010.00000002.2955040856.00000000055A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                              Source: powershell.exe, 00000010.00000002.2955040856.00000000055A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                              Source: a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                              Source: a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                              Source: a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3078242620.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135615248.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135498444.00000000007B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135615248.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135498444.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3111755973.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/B
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135615248.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135498444.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3186628408.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3111755973.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/CA
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135615248.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135498444.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3186628408.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/MA
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3111755973.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/O
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3651769649.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/W
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3651769649.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/c
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/g
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3651769649.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3186628408.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/gA
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135615248.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135498444.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3186628408.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3111755973.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/hA
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3651769649.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/w
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3651769649.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135615248.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135498444.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3186628408.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3111755973.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/yB
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3651769649.00000000007AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/z
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://frostman.shop/~A
                              Source: svchost.exe, 00000016.00000003.3061403026.00000192463F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                              Source: svchost.exe, 00000016.00000003.3061403026.0000019246380000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.00000000028CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                              Source: powershell.exe, 00000010.00000002.2944804994.0000000004696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                              Source: 3494904393.exe, 0000000B.00000000.2867570973.0000000000532000.00000002.00000001.01000000.0000000B.sdmp, 3494904393.exe, 0000000B.00000002.3054106984.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3054106984.0000000002842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/biyjdfjadaw.exe
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.0000000002859000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000000.2867570973.0000000000532000.00000002.00000001.01000000.0000000B.sdmp, 3494904393.exe, 0000000B.00000002.3054106984.0000000002842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Urijas/moperats/raw/refs/heads/main/ktyihkdfesf.exe
                              Source: 128703c003.exe, 00000017.00000003.3168584611.000000000169B000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3371714370.0000000001702000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/
                              Source: 128703c003.exe, 00000012.00000003.3011604086.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000012.00000002.3012509947.00000000009E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/2H
                              Source: 128703c003.exe, 00000012.00000003.3011604086.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000012.00000002.3012509947.00000000009E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/4
                              Source: 128703c003.exe, 00000017.00000003.3168584611.000000000169B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/W
                              Source: 128703c003.exe, 00000017.00000003.3412151122.0000000001703000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3258078775.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3659903833.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3334200098.00000000016F9000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3368106621.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3275631067.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3337300081.0000000001702000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3666383879.0000000001702000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3371714370.0000000001702000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/X
                              Source: 128703c003.exe, 00000017.00000003.3244507163.0000000005E5B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3312048680.0000000005E73000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3168584611.000000000169B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/api
                              Source: 128703c003.exe, 00000017.00000003.3409861563.0000000005E73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/apiM
                              Source: 128703c003.exe, 00000012.00000002.3012272539.000000000099E000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3168584611.0000000001682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/apit
                              Source: 128703c003.exe, 00000017.00000003.3168584611.000000000169B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/apiup
                              Source: 128703c003.exe, 00000017.00000003.3168584611.000000000169B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/h
                              Source: 128703c003.exe, 00000017.00000003.3168584611.0000000001682000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3212635855.0000000005E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/p
                              Source: 128703c003.exe, 00000012.00000003.3011604086.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000012.00000002.3012509947.00000000009E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat/u
                              Source: 128703c003.exe, 00000012.00000003.3011066639.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000012.00000002.3012509947.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3168584611.0000000001679000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3411535571.0000000001679000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3368738714.0000000001679000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3334478529.0000000001679000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat:443/api
                              Source: 128703c003.exe, 00000017.00000003.3368738714.0000000001679000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3334478529.0000000001679000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat:443/apical
                              Source: 128703c003.exe, 00000017.00000003.3287089252.0000000005EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                              Source: powershell.exe, 0000000D.00000002.2917207950.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2955040856.00000000055A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                              Source: a2236cc5aa.exe, a2236cc5aa.exe, 00000009.00000002.3133800466.0000000001212000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2972854469.0000000003834000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3092499477.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.0000000001212000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3094940649.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3034726949.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029644708.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3122847906.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3135914108.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029780575.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3137538281.00000000012A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/
                              Source: a2236cc5aa.exe, 00000009.00000003.3119803218.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3135914108.000000000128B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/#
                              Source: a2236cc5aa.exe, 00000009.00000003.3006312115.00000000012A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/H
                              Source: a2236cc5aa.exe, a2236cc5aa.exe, 00000009.00000003.3119803218.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3094940649.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3092499477.0000000001284000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.000000000122B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029437490.0000000001283000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3122847906.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.0000000001284000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3122658789.000000000122D000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3087755714.000000000383D000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3137538281.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3135914108.0000000001284000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3134231707.000000000122E000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3006552725.0000000001283000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3116794521.000000000383D000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3047195115.000000000382F000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3047775117.0000000003832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/api
                              Source: a2236cc5aa.exe, 00000009.00000003.3119803218.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3135914108.000000000128B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/apiH
                              Source: a2236cc5aa.exe, 00000009.00000003.3119803218.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3094940649.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3122847906.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3137538281.00000000012A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/apiT
                              Source: a2236cc5aa.exe, 00000009.00000003.3094940649.00000000012A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/apis
                              Source: a2236cc5aa.exe, 00000009.00000003.3092499477.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.000000000128B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/pi
                              Source: a2236cc5aa.exe, 00000009.00000003.2972184355.0000000003834000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click/x
                              Source: a2236cc5aa.exe, 00000009.00000003.3007554160.0000000001212000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click:443/apicrosoft
                              Source: a2236cc5aa.exe, 00000009.00000002.3133800466.0000000001212000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.0000000001212000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3092499477.0000000001212000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029437490.0000000001212000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pancakedipyps.click:443/apiefault-release/key4.dbPK
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.000000000296F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.000000000296F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Urijas/moperats/refs/heads/main/biyjdfjadaw.exe
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.000000000296F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Urijas/moperats/refs/heads/main/ktyihkdfesf.exe
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.000000000296F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.comD
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.000000000296B000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3062210997.0000000003890000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3062210997.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000000.3043796968.0000000000423000.00000008.00000001.01000000.00000010.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199809363512
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000000.3043796968.0000000000423000.00000008.00000001.01000000.00000010.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199809363512m0nk3Mozilla/5.0
                              Source: 128703c003.exe, 00000017.00000003.3281980626.0000000006109000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                              Source: 128703c003.exe, 00000017.00000003.3281980626.0000000006109000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                              Source: 3494904393.exe, 0000000B.00000002.3054106984.000000000296B000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3062210997.0000000003890000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3062210997.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3078242620.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3078242620.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000000.3043796968.0000000000423000.00000008.00000001.01000000.00000010.sdmpString found in binary or memory: https://t.me/k04ael
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000000.3043796968.0000000000423000.00000008.00000001.01000000.00000010.sdmpString found in binary or memory: https://t.me/k04aelm0nk3Mozilla/5.0
                              Source: e565baa4b6.exe, 0000000A.00000003.3132201109.00000000053FC000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133060846.0000000005405000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3137766063.0000000005406000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000002.3316209595.0000000005407000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3106309298.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3103245205.00000000053E8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000002.3316055734.0000000005401000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133607214.0000000005406000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3108132250.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3132201109.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3132555502.0000000005402000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3106075883.00000000053E8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3255326461.0000000005406000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3132410630.00000000053FC000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3190290068.0000000005405000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3162109459.0000000005402000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3139904879.0000000005406000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/
                              Source: e565baa4b6.exe, 0000000A.00000002.3287096139.0000000000863000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3253053792.0000000000863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/;.
                              Source: e565baa4b6.exe, 0000000A.00000002.3287096139.0000000000863000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3253053792.0000000000863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/=lg7
                              Source: e565baa4b6.exe, 0000000A.00000003.3254207262.0000000000815000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3190222323.0000000000872000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000002.3288044439.000000000087B000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3253053792.0000000000863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/api
                              Source: e565baa4b6.exe, 0000000A.00000002.3285986121.0000000000815000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3254207262.0000000000815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/api&
                              Source: e565baa4b6.exe, 0000000A.00000002.3287096139.0000000000863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/apiA
                              Source: e565baa4b6.exe, 0000000A.00000003.3167500325.0000000000879000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3166630569.0000000000874000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/apiZz
                              Source: e565baa4b6.exe, 0000000A.00000003.3190256210.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/eml7=
                              Source: e565baa4b6.exe, 0000000A.00000003.3255326461.0000000005406000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/r
                              Source: e565baa4b6.exe, 0000000A.00000003.3162109459.0000000005402000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/u
                              Source: e565baa4b6.exe, 0000000A.00000002.3287096139.0000000000863000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3253053792.0000000000863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click/us
                              Source: e565baa4b6.exe, 0000000A.00000003.3254207262.0000000000809000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000002.3285986121.000000000080C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://treehoneyi.click:443/api
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3068983043.00000000007B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
                              Source: e565baa4b6.exe, 0000000A.00000003.3139904879.0000000005402000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3287089252.0000000005EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                              Source: a2236cc5aa.exe, 00000009.00000003.2976264747.0000000003848000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3139904879.0000000005402000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3287089252.0000000005EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                              Source: a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                              Source: a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                              Source: 128703c003.exe, 00000017.00000003.3281980626.0000000006109000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                              Source: 128703c003.exe, 00000017.00000003.3281980626.0000000006109000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                              Source: a2236cc5aa.exe, 00000009.00000003.2975183013.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3138324559.0000000005694000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3281980626.0000000006109000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                              Source: 128703c003.exe, 00000017.00000003.3281980626.0000000006109000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                              Source: a2236cc5aa.exe, 00000009.00000003.2975183013.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3138324559.0000000005694000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3281980626.0000000006109000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                              Source: a2236cc5aa.exe, 00000009.00000003.2975183013.0000000003AD7000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3138324559.0000000005694000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3281980626.0000000006109000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                              Source: firefox.exe, 00000029.00000002.3223968923.0000018C06C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

                              System Summary

                              barindex
                              PE file contains section with special chars
                              Source: file.exeStatic PE information: section name:
                              Source: file.exeStatic PE information: section name: .idata
                              Source: skotes.exe.0.drStatic PE information: section name:
                              Source: skotes.exe.0.drStatic PE information: section name: .idata
                              Source: random[1].exe.6.drStatic PE information: section name:
                              Source: random[1].exe.6.drStatic PE information: section name: .idata
                              Source: random[1].exe.6.drStatic PE information: section name:
                              Source: e565baa4b6.exe.6.drStatic PE information: section name:
                              Source: e565baa4b6.exe.6.drStatic PE information: section name: .idata
                              Source: e565baa4b6.exe.6.drStatic PE information: section name:
                              Source: random[3].exe.6.drStatic PE information: section name:
                              Source: random[3].exe.6.drStatic PE information: section name: .idata
                              Source: random[3].exe.6.drStatic PE information: section name:
                              Source: 1e467b8b46.exe.6.drStatic PE information: section name:
                              Source: 1e467b8b46.exe.6.drStatic PE information: section name: .idata
                              Source: 1e467b8b46.exe.6.drStatic PE information: section name:
                              Source: random[1].exe2.6.drStatic PE information: section name:
                              Source: random[1].exe2.6.drStatic PE information: section name: .idata
                              Source: random[1].exe2.6.drStatic PE information: section name:
                              Source: 128703c003.exe.6.drStatic PE information: section name:
                              Source: 128703c003.exe.6.drStatic PE information: section name: .idata
                              Source: 128703c003.exe.6.drStatic PE information: section name:
                              Source: random[2].exe.6.drStatic PE information: section name:
                              Source: random[2].exe.6.drStatic PE information: section name: .idata
                              Source: 8a13e339a3.exe.6.drStatic PE information: section name:
                              Source: 8a13e339a3.exe.6.drStatic PE information: section name: .idata
                              Source: random[4].exe.6.drStatic PE information: section name:
                              Source: random[4].exe.6.drStatic PE information: section name: .idata
                              Source: random[4].exe.6.drStatic PE information: section name:
                              Source: 5dfec4fe99.exe.6.drStatic PE information: section name:
                              Source: 5dfec4fe99.exe.6.drStatic PE information: section name: .idata
                              Source: 5dfec4fe99.exe.6.drStatic PE information: section name:
                              Source: random[2].exe1.6.drStatic PE information: section name:
                              Source: random[2].exe1.6.drStatic PE information: section name: .idata
                              Source: 2fc1eb1411.exe.6.drStatic PE information: section name:
                              Source: 2fc1eb1411.exe.6.drStatic PE information: section name: .idata
                              Source: random[5].exe.6.drStatic PE information: section name:
                              Source: random[5].exe.6.drStatic PE information: section name: .idata
                              Source: random[5].exe.6.drStatic PE information: section name:
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: section name:
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: section name: .idata
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: section name:
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess Stats: CPU usage > 49%
                              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E578BB0_2_00E578BB
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E588600_2_00E58860
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E570490_2_00E57049
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E531A80_2_00E531A8
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E14B300_2_00E14B30
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E14DE00_2_00E14DE0
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E52D100_2_00E52D10
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E5779B0_2_00E5779B
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E47F360_2_00E47F36
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_001D70492_2_001D7049
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_001D88602_2_001D8860
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_001D78BB2_2_001D78BB
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_001D31A82_2_001D31A8
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00194B302_2_00194B30
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_001D2D102_2_001D2D10
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_00194DE02_2_00194DE0
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_001C7F362_2_001C7F36
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_001D779B2_2_001D779B
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_001D70493_2_001D7049
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_001D88603_2_001D8860
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_001D78BB3_2_001D78BB
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_001D31A83_2_001D31A8
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00194B303_2_00194B30
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_001D2D103_2_001D2D10
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_00194DE03_2_00194DE0
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_001C7F363_2_001C7F36
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_001D779B3_2_001D779B
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DB10007_2_00DB1000
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DB4C8C7_2_00DB4C8C
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DC6F3A7_2_00DC6F3A
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0129DB639_3_0129DB63
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0128D14F9_3_0128D14F
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0128D14F9_3_0128D14F
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0128D14F9_3_0128D14F
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0128D14F9_3_0128D14F
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_038319BA9_3_038319BA
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012B20609_3_012B2060
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0128D14F9_3_0128D14F
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0128D14F9_3_0128D14F
                              Source: Joe Sandbox ViewDropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E280C0 appears 130 times
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 001ADF80 appears 36 times
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 001A80C0 appears 260 times
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: String function: 00DB5190 appears 46 times
                              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9983129683242506
                              Source: skotes.exe.0.drStatic PE information: Section: ZLIB complexity 0.9983129683242506
                              Source: random[1].exe.6.drStatic PE information: Section: ZLIB complexity 0.9973177975171232
                              Source: random[1].exe.6.drStatic PE information: Section: uzxdwyvi ZLIB complexity 0.9946595600267777
                              Source: e565baa4b6.exe.6.drStatic PE information: Section: ZLIB complexity 0.9973177975171232
                              Source: e565baa4b6.exe.6.drStatic PE information: Section: uzxdwyvi ZLIB complexity 0.9946595600267777
                              Source: random[1].exe1.6.drStatic PE information: Section: .bss ZLIB complexity 1.0003343485169491
                              Source: random[1].exe1.6.drStatic PE information: Section: .bss ZLIB complexity 1.0003343485169491
                              Source: a2236cc5aa.exe.6.drStatic PE information: Section: .bss ZLIB complexity 1.0003343485169491
                              Source: a2236cc5aa.exe.6.drStatic PE information: Section: .bss ZLIB complexity 1.0003343485169491
                              Source: random[3].exe.6.drStatic PE information: Section: ZLIB complexity 0.9974582619863014
                              Source: random[3].exe.6.drStatic PE information: Section: xnuzvlhe ZLIB complexity 0.994702490860937
                              Source: 1e467b8b46.exe.6.drStatic PE information: Section: ZLIB complexity 0.9974582619863014
                              Source: 1e467b8b46.exe.6.drStatic PE information: Section: xnuzvlhe ZLIB complexity 0.994702490860937
                              Source: random[1].exe2.6.drStatic PE information: Section: ZLIB complexity 0.9973980629280822
                              Source: random[1].exe2.6.drStatic PE information: Section: ijtgtnqw ZLIB complexity 0.9945006846635368
                              Source: 128703c003.exe.6.drStatic PE information: Section: ZLIB complexity 0.9973980629280822
                              Source: 128703c003.exe.6.drStatic PE information: Section: ijtgtnqw ZLIB complexity 0.9945006846635368
                              Source: random[4].exe.6.drStatic PE information: Section: ZLIB complexity 0.9951820514298892
                              Source: random[4].exe.6.drStatic PE information: Section: xmsxfkky ZLIB complexity 0.9925249169435216
                              Source: 5dfec4fe99.exe.6.drStatic PE information: Section: ZLIB complexity 0.9951820514298892
                              Source: 5dfec4fe99.exe.6.drStatic PE information: Section: xmsxfkky ZLIB complexity 0.9925249169435216
                              Source: random[5].exe.6.drStatic PE information: Section: biyvevdc ZLIB complexity 0.9944533911839863
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: Section: biyvevdc ZLIB complexity 0.9944533911839863
                              Source: 5dfec4fe99.exe.6.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                              Source: random[4].exe.6.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                              Source: 3494904393.exe.6.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 3494904393.exe.6.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: random[3].exe0.6.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: random[3].exe0.6.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 7bbff7a3a2.exe.6.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 7bbff7a3a2.exe.6.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: random[1].exe0.6.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: random[1].exe0.6.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@149/127@0/31
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exeJump to behavior
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeMutant created: \Sessions\1\BaseNamedObjects\Global\SyncRootManager
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2412:120:WilError_03
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f6bec8ba-58ff-4dfc-9981-2ec5ebd23734}-9MSZ40SLW145
                              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: a2236cc5aa.exe, 00000009.00000003.2811868502.00000000037B7000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2948173459.00000000037BB000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811417329.00000000037D4000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3008900293.000000000537B000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3107194398.0000000005380000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3008201130.0000000005396000.00000004.00000800.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3593209600.0000000005CAC000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3425134928.0000000005CB8000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3173892198.0000000005E06000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3175373618.0000000005DEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                              Source: file.exeReversingLabs: Detection: 50%
                              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                              Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                              Source: skotes.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe "C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe"
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeProcess created: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe "C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe"
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe "C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe"
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe "C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl"
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe "C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe "C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe "C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe"
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe "C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe"
                              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe "C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe"
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe "C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe"
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe "C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe"
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                              Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 --field-trial-handle=2108,i,8456486069817355234,11844497876439490650,262144 /prefetch:8
                              Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                              Source: C:\Windows\System32\conhost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3116d80-26e5-4678-b47c-6e372794e0eb} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 2800d16fd10 socket
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe "C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe"
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2244,i,11399492537237456067,12274902701966245916,262144 /prefetch:8
                              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe "C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe"
                              Source: C:\Windows\System32\conhost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -parentBuildID 20230927232528 -prefsHandle 4300 -prefMapHandle 4304 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {822619a6-5657-47d3-80bf-2521004ff1f0} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 28020772b10 rdd
                              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe "C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe"
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 --field-trial-handle=2228,i,13984323130618621561,12790505923431820552,262144 /prefetch:8
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe "C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe"
                              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe "C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe"
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2644 --field-trial-handle=2268,i,11916466110525037174,8440217537469921044,262144 /prefetch:8
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
                              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe "C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe "C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe "C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe "C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe "C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe "C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe "C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe "C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeProcess created: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe "C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe"Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe "C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe "C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe"
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess created: unknown unknown
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess created: unknown unknown
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess created: unknown unknown
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess created: unknown unknown
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess created: unknown unknown
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess created: unknown unknown
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess created: unknown unknown
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 --field-trial-handle=2108,i,8456486069817355234,11844497876439490650,262144 /prefetch:8
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                              Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3116d80-26e5-4678-b47c-6e372794e0eb} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 2800d16fd10 socket
                              Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                              Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                              Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -parentBuildID 20230927232528 -prefsHandle 4300 -prefMapHandle 4304 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {822619a6-5657-47d3-80bf-2521004ff1f0} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 28020772b10 rdd
                              Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2644 --field-trial-handle=2268,i,11916466110525037174,8440217537469921044,262144 /prefetch:8
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2244,i,11399492537237456067,12274902701966245916,262144 /prefetch:8
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: unknown unknown
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: unknown unknown
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: unknown unknown
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: unknown unknown
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 --field-trial-handle=2228,i,13984323130618621561,12790505923431820552,262144 /prefetch:8
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2644 --field-trial-handle=2268,i,11916466110525037174,8440217537469921044,262144 /prefetch:8
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: mstask.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: dui70.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: duser.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: chartv.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: atlthunk.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: explorerframe.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: webio.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: winmm.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: winhttp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: webio.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: mswsock.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: winnsi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: dnsapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: rasadhlp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: fwpuclnt.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: schannel.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: mskeyprotect.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: ntasn1.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: ncrypt.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: ncryptsslp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: msasn1.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: gpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: dpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: wbemcomn.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: amsi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: profapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: version.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: mscoree.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: version.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: profapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: dnsapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: winnsi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: rasapi32.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: rasman.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: rtutils.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: mswsock.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: winhttp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: rasadhlp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: fwpuclnt.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: secur32.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: schannel.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: mskeyprotect.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: ntasn1.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: ncrypt.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: ncryptsslp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: msasn1.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: gpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: propsys.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: edputil.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: urlmon.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: iertutil.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: srvcli.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: netutils.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: wintypes.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: appresolver.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: bcp47langs.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: slc.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: sppc.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: winmm.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: winhttp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: webio.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: mswsock.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: winnsi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: dnsapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: rasadhlp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: fwpuclnt.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: schannel.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: mskeyprotect.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: ntasn1.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: ncrypt.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: ncryptsslp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: msasn1.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: cryptsp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: rsaenh.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: gpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: dpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: apphelp.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: sspicli.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: wininet.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: rstrtmgr.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: ncrypt.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: ntasn1.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: dbghelp.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: iertutil.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: windows.storage.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: wldp.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: profapi.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: kernel.appcore.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: winhttp.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: mswsock.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: iphlpapi.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: winnsi.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: urlmon.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: srvcli.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: netutils.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: dnsapi.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: rasadhlp.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: fwpuclnt.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: schannel.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: mskeyprotect.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: msasn1.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: dpapi.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: cryptsp.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: rsaenh.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: cryptbase.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: gpapi.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: ncryptsslp.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: ntmarta.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: uxtheme.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: windowscodecs.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: propsys.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: windows.fileexplorer.common.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: ntshrui.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: cscapi.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: linkinfo.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: edputil.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: wintypes.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: appresolver.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: bcp47langs.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: slc.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: userenv.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: sppc.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: pcacli.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: mpr.dll
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeSection loaded: sfc_os.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: mscoree.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: kernel.appcore.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: version.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: uxtheme.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: cryptsp.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: rsaenh.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: cryptbase.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: dwrite.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: msvcp140_clr0400.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: windows.storage.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: wldp.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: profapi.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: windows.applicationmodel.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: twinapi.appcore.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: wintypes.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: windows.globalization.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: bcp47langs.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: bcp47mrm.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: dwmapi.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: d3d9.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: d3d10warp.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: urlmon.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: iertutil.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: srvcli.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: netutils.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: windowscodecs.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: msasn1.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: msisip.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: wshext.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: appxsip.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: opcservices.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: esdsip.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ncrypt.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ntasn1.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ncrypt.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ntasn1.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ncryptprov.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: wtsapi32.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: winsta.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: powrprof.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: umpdc.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: windows.web.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: dataexchange.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: d3d11.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: dcomp.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: dxgi.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: resourcepolicyclient.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: dxcore.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: textshaping.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: winmm.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: textinputframework.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: coreuicomponents.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: coremessaging.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ntmarta.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: coremessaging.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: msctfui.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: uiautomationcore.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: propsys.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: d3dcompiler_47.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: wininet.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: sspicli.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: rasapi32.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: rasman.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: rtutils.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: mswsock.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: winhttp.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: iphlpapi.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: dhcpcsvc.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: winnsi.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: dnsapi.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: rasadhlp.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: fwpuclnt.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: secur32.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: schannel.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: mskeyprotect.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ncryptsslp.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: gpapi.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: installservice.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: userenv.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: mpr.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: slc.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: sppc.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: ieframe.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: netapi32.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: wkscli.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: edputil.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: mlang.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: policymanager.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: msvcp110_win.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: twinui.appcore.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: execmodelproxy.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: mscms.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: coloradapterclient.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: windowscodecsext.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: mrmcorer.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: windows.staterepositorycore.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: appxdeploymentclient.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: windows.ui.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: windowmanagementapi.dll
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeSection loaded: inputhost.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: winmm.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: wininet.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: rstrtmgr.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: ncrypt.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: ntasn1.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: iertutil.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: profapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: winhttp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: mswsock.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: urlmon.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: srvcli.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: netutils.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: winnsi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: dpapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: cryptbase.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: dnsapi.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: fwpuclnt.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: rasadhlp.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: ntmarta.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: mozglue.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: wsock32.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: vcruntime140.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: msvcp140.dll
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSection loaded: vcruntime140.dll
                              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                              Source: file.exeStatic file information: File size 3023360 > 1048576
                              Source: file.exeStatic PE information: Raw size of kfjqblss is bigger than: 0x100000 < 0x2b0800
                              Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdb source: 3494904393.exe, 0000000B.00000002.3062210997.0000000003890000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3062210997.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000000.3044420282.0000018167332000.00000002.00000001.01000000.00000011.sdmp
                              Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdbSHA256\u source: 3494904393.exe, 0000000B.00000002.3062210997.0000000003890000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3062210997.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000000.3044420282.0000018167332000.00000002.00000001.01000000.00000011.sdmp
                              Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdb source: 3494904393.exe, 0000000B.00000000.2867570973.0000000000532000.00000002.00000001.01000000.0000000B.sdmp
                              Source: Binary string: C:\Users\danie\source\repos\NewText\NewText\obj\Debug\NewTextV2.pdbdj~j pj_CorExeMainmscoree.dll source: 3494904393.exe, 0000000B.00000000.2867570973.0000000000532000.00000002.00000001.01000000.0000000B.sdmp

                              Data Obfuscation

                              barindex
                              Detected unpacking (changes PE section rights)
                              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W;kfjqblss:EW;vivpivkj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;kfjqblss:EW;vivpivkj:EW;.taggant:EW;
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 2.2.skotes.exe.190000.0.unpack :EW;.rsrc:W;.idata :W;kfjqblss:EW;vivpivkj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;kfjqblss:EW;vivpivkj:EW;.taggant:EW;
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 3.2.skotes.exe.190000.0.unpack :EW;.rsrc:W;.idata :W;kfjqblss:EW;vivpivkj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;kfjqblss:EW;vivpivkj:EW;.taggant:EW;
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeUnpacked PE file: 10.2.e565baa4b6.exe.dc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;uzxdwyvi:EW;efzdldig:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;uzxdwyvi:EW;efzdldig:EW;.taggant:EW;
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeUnpacked PE file: 18.2.128703c003.exe.b70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ijtgtnqw:EW;jumutqrp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ijtgtnqw:EW;jumutqrp:EW;.taggant:EW;
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeUnpacked PE file: 45.2.2fc1eb1411.exe.9b0000.0.unpack :EW;.rsrc:W;.idata :W;ehjhpitf:EW;ijjaccto:EW;.taggant:EW; vs :ER;.rsrc:W;
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeUnpacked PE file: 54.2.2fc1eb1411.exe.9b0000.0.unpack :EW;.rsrc:W;.idata :W;ehjhpitf:EW;ijjaccto:EW;.taggant:EW; vs :ER;.rsrc:W;
                              Source: random[1].exe0.6.drStatic PE information: 0x94370F66 [Sun Oct 18 12:19:50 2048 UTC]
                              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                              Source: 1e467b8b46.exe.6.drStatic PE information: real checksum: 0x1ceb69 should be: 0x1dabc0
                              Source: random[1].exe.6.drStatic PE information: real checksum: 0x1d2d25 should be: 0x1d6b7c
                              Source: 101d940598.exe.6.drStatic PE information: real checksum: 0x0 should be: 0x324fc1
                              Source: 8a13e339a3.exe.6.drStatic PE information: real checksum: 0x2c79bb should be: 0x2c5eda
                              Source: random[3].exe1.6.drStatic PE information: real checksum: 0x0 should be: 0x324fc1
                              Source: random[1].exe2.6.drStatic PE information: real checksum: 0x1bef30 should be: 0x1bb53a
                              Source: 5dfec4fe99.exe.6.drStatic PE information: real checksum: 0x1e67b5 should be: 0x1ea0a4
                              Source: 2fc1eb1411.exe.6.drStatic PE information: real checksum: 0x2b9e5c should be: 0x2affdc
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: real checksum: 0x4481f0 should be: 0x44f698
                              Source: 7bbff7a3a2.exe.6.drStatic PE information: real checksum: 0x0 should be: 0x6066
                              Source: random[3].exe.6.drStatic PE information: real checksum: 0x1ceb69 should be: 0x1dabc0
                              Source: skotes.exe.0.drStatic PE information: real checksum: 0x2e35a5 should be: 0x2ee0bf
                              Source: random[1].exe0.6.drStatic PE information: real checksum: 0x0 should be: 0x14b59
                              Source: random[1].exe1.6.drStatic PE information: real checksum: 0x0 should be: 0xc8597
                              Source: 128703c003.exe.6.drStatic PE information: real checksum: 0x1bef30 should be: 0x1bb53a
                              Source: 3494904393.exe.6.drStatic PE information: real checksum: 0x0 should be: 0x14b59
                              Source: e565baa4b6.exe.6.drStatic PE information: real checksum: 0x1d2d25 should be: 0x1d6b7c
                              Source: a2236cc5aa.exe.6.drStatic PE information: real checksum: 0x0 should be: 0xc8597
                              Source: random[3].exe0.6.drStatic PE information: real checksum: 0x0 should be: 0x6066
                              Source: random[5].exe.6.drStatic PE information: real checksum: 0x4481f0 should be: 0x44f698
                              Source: random[4].exe.6.drStatic PE information: real checksum: 0x1e67b5 should be: 0x1ea0a4
                              Source: random[2].exe1.6.drStatic PE information: real checksum: 0x2b9e5c should be: 0x2affdc
                              Source: file.exeStatic PE information: real checksum: 0x2e35a5 should be: 0x2ee0bf
                              Source: random[2].exe.6.drStatic PE information: real checksum: 0x2c79bb should be: 0x2c5eda
                              Source: file.exeStatic PE information: section name:
                              Source: file.exeStatic PE information: section name: .idata
                              Source: file.exeStatic PE information: section name: kfjqblss
                              Source: file.exeStatic PE information: section name: vivpivkj
                              Source: file.exeStatic PE information: section name: .taggant
                              Source: skotes.exe.0.drStatic PE information: section name:
                              Source: skotes.exe.0.drStatic PE information: section name: .idata
                              Source: skotes.exe.0.drStatic PE information: section name: kfjqblss
                              Source: skotes.exe.0.drStatic PE information: section name: vivpivkj
                              Source: skotes.exe.0.drStatic PE information: section name: .taggant
                              Source: random[1].exe.6.drStatic PE information: section name:
                              Source: random[1].exe.6.drStatic PE information: section name: .idata
                              Source: random[1].exe.6.drStatic PE information: section name:
                              Source: random[1].exe.6.drStatic PE information: section name: uzxdwyvi
                              Source: random[1].exe.6.drStatic PE information: section name: efzdldig
                              Source: random[1].exe.6.drStatic PE information: section name: .taggant
                              Source: e565baa4b6.exe.6.drStatic PE information: section name:
                              Source: e565baa4b6.exe.6.drStatic PE information: section name: .idata
                              Source: e565baa4b6.exe.6.drStatic PE information: section name:
                              Source: e565baa4b6.exe.6.drStatic PE information: section name: uzxdwyvi
                              Source: e565baa4b6.exe.6.drStatic PE information: section name: efzdldig
                              Source: e565baa4b6.exe.6.drStatic PE information: section name: .taggant
                              Source: random[3].exe.6.drStatic PE information: section name:
                              Source: random[3].exe.6.drStatic PE information: section name: .idata
                              Source: random[3].exe.6.drStatic PE information: section name:
                              Source: random[3].exe.6.drStatic PE information: section name: xnuzvlhe
                              Source: random[3].exe.6.drStatic PE information: section name: tzuttanx
                              Source: random[3].exe.6.drStatic PE information: section name: .taggant
                              Source: 1e467b8b46.exe.6.drStatic PE information: section name:
                              Source: 1e467b8b46.exe.6.drStatic PE information: section name: .idata
                              Source: 1e467b8b46.exe.6.drStatic PE information: section name:
                              Source: 1e467b8b46.exe.6.drStatic PE information: section name: xnuzvlhe
                              Source: 1e467b8b46.exe.6.drStatic PE information: section name: tzuttanx
                              Source: 1e467b8b46.exe.6.drStatic PE information: section name: .taggant
                              Source: random[1].exe2.6.drStatic PE information: section name:
                              Source: random[1].exe2.6.drStatic PE information: section name: .idata
                              Source: random[1].exe2.6.drStatic PE information: section name:
                              Source: random[1].exe2.6.drStatic PE information: section name: ijtgtnqw
                              Source: random[1].exe2.6.drStatic PE information: section name: jumutqrp
                              Source: random[1].exe2.6.drStatic PE information: section name: .taggant
                              Source: 128703c003.exe.6.drStatic PE information: section name:
                              Source: 128703c003.exe.6.drStatic PE information: section name: .idata
                              Source: 128703c003.exe.6.drStatic PE information: section name:
                              Source: 128703c003.exe.6.drStatic PE information: section name: ijtgtnqw
                              Source: 128703c003.exe.6.drStatic PE information: section name: jumutqrp
                              Source: 128703c003.exe.6.drStatic PE information: section name: .taggant
                              Source: random[2].exe.6.drStatic PE information: section name:
                              Source: random[2].exe.6.drStatic PE information: section name: .idata
                              Source: random[2].exe.6.drStatic PE information: section name: uqvrrapw
                              Source: random[2].exe.6.drStatic PE information: section name: blfuhhpc
                              Source: random[2].exe.6.drStatic PE information: section name: .taggant
                              Source: 8a13e339a3.exe.6.drStatic PE information: section name:
                              Source: 8a13e339a3.exe.6.drStatic PE information: section name: .idata
                              Source: 8a13e339a3.exe.6.drStatic PE information: section name: uqvrrapw
                              Source: 8a13e339a3.exe.6.drStatic PE information: section name: blfuhhpc
                              Source: 8a13e339a3.exe.6.drStatic PE information: section name: .taggant
                              Source: random[4].exe.6.drStatic PE information: section name:
                              Source: random[4].exe.6.drStatic PE information: section name: .idata
                              Source: random[4].exe.6.drStatic PE information: section name:
                              Source: random[4].exe.6.drStatic PE information: section name: xmsxfkky
                              Source: random[4].exe.6.drStatic PE information: section name: uydpyjdy
                              Source: random[4].exe.6.drStatic PE information: section name: .taggant
                              Source: 5dfec4fe99.exe.6.drStatic PE information: section name:
                              Source: 5dfec4fe99.exe.6.drStatic PE information: section name: .idata
                              Source: 5dfec4fe99.exe.6.drStatic PE information: section name:
                              Source: 5dfec4fe99.exe.6.drStatic PE information: section name: xmsxfkky
                              Source: 5dfec4fe99.exe.6.drStatic PE information: section name: uydpyjdy
                              Source: 5dfec4fe99.exe.6.drStatic PE information: section name: .taggant
                              Source: random[2].exe1.6.drStatic PE information: section name:
                              Source: random[2].exe1.6.drStatic PE information: section name: .idata
                              Source: random[2].exe1.6.drStatic PE information: section name: ehjhpitf
                              Source: random[2].exe1.6.drStatic PE information: section name: ijjaccto
                              Source: random[2].exe1.6.drStatic PE information: section name: .taggant
                              Source: 2fc1eb1411.exe.6.drStatic PE information: section name:
                              Source: 2fc1eb1411.exe.6.drStatic PE information: section name: .idata
                              Source: 2fc1eb1411.exe.6.drStatic PE information: section name: ehjhpitf
                              Source: 2fc1eb1411.exe.6.drStatic PE information: section name: ijjaccto
                              Source: 2fc1eb1411.exe.6.drStatic PE information: section name: .taggant
                              Source: random[5].exe.6.drStatic PE information: section name:
                              Source: random[5].exe.6.drStatic PE information: section name: .idata
                              Source: random[5].exe.6.drStatic PE information: section name:
                              Source: random[5].exe.6.drStatic PE information: section name: biyvevdc
                              Source: random[5].exe.6.drStatic PE information: section name: aogmlwgx
                              Source: random[5].exe.6.drStatic PE information: section name: .taggant
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: section name:
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: section name: .idata
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: section name:
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: section name: biyvevdc
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: section name: aogmlwgx
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: section name: .taggant
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2D91C push ecx; ret 0_2_00E2D92F
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E21359 push es; ret 0_2_00E2135A
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_001AD91C push ecx; ret 2_2_001AD92F
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_001AD91C push ecx; ret 3_2_001AD92F
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DB534A push ecx; ret 7_2_00DB535D
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012949B5 push eax; ret 9_3_01294AEB
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012949B5 push eax; ret 9_3_01294AEB
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_01292336 push edi; retf 9_3_0129233A
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_01292336 push edi; retf 9_3_0129233A
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_01292B8C push 00000046h; retf 9_3_01292B95
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_01292B8C push 00000046h; retf 9_3_01292B95
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_01290B60 push eax; ret 9_3_01290BA1
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_01290B49 push eax; ret 9_3_01290BA1
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122C362 pushad ; ret 9_3_0122C365
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122CB62 pushad ; retf 9_3_0122CB65
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122CF62 pushad ; iretd 9_3_0122CF65
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122CB66 push 680122CBh; retf 9_3_0122CB6D
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122C366 push 680122C3h; ret 9_3_0122C36D
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122CF66 push 680122CFh; iretd 9_3_0122CF6D
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_01235E68 push 00000046h; retf 9_3_01235E71
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_01235E68 push 00000046h; retf 9_3_01235E71
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122CF4E push eax; iretd 9_3_0122CF51
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122CB4E push eax; retf 9_3_0122CB51
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122C34E push eax; ret 9_3_0122C351
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122CB52 push eax; retf 9_3_0122CB55
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122C352 push eax; ret 9_3_0122C355
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122CF52 push eax; iretd 9_3_0122CF55
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122CB5E pushad ; retf 9_3_0122CB61
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122C35E pushad ; ret 9_3_0122C361
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_0122CF5E pushad ; iretd 9_3_0122CF61
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 9_3_012348D1 push 00000046h; retf 9_3_012348DA
                              Source: file.exeStatic PE information: section name: entropy: 7.985538983935103
                              Source: skotes.exe.0.drStatic PE information: section name: entropy: 7.985538983935103
                              Source: random[1].exe.6.drStatic PE information: section name: entropy: 7.974324170155358
                              Source: random[1].exe.6.drStatic PE information: section name: uzxdwyvi entropy: 7.955304664762435
                              Source: e565baa4b6.exe.6.drStatic PE information: section name: entropy: 7.974324170155358
                              Source: e565baa4b6.exe.6.drStatic PE information: section name: uzxdwyvi entropy: 7.955304664762435
                              Source: random[3].exe.6.drStatic PE information: section name: entropy: 7.983709808349382
                              Source: random[3].exe.6.drStatic PE information: section name: xnuzvlhe entropy: 7.953847578299681
                              Source: 1e467b8b46.exe.6.drStatic PE information: section name: entropy: 7.983709808349382
                              Source: 1e467b8b46.exe.6.drStatic PE information: section name: xnuzvlhe entropy: 7.953847578299681
                              Source: random[1].exe2.6.drStatic PE information: section name: entropy: 7.983747269135125
                              Source: random[1].exe2.6.drStatic PE information: section name: ijtgtnqw entropy: 7.953803089341506
                              Source: 128703c003.exe.6.drStatic PE information: section name: entropy: 7.983747269135125
                              Source: 128703c003.exe.6.drStatic PE information: section name: ijtgtnqw entropy: 7.953803089341506
                              Source: random[4].exe.6.drStatic PE information: section name: entropy: 7.979153316979525
                              Source: random[4].exe.6.drStatic PE information: section name: xmsxfkky entropy: 7.952028696274607
                              Source: 5dfec4fe99.exe.6.drStatic PE information: section name: entropy: 7.979153316979525
                              Source: 5dfec4fe99.exe.6.drStatic PE information: section name: xmsxfkky entropy: 7.952028696274607
                              Source: random[5].exe.6.drStatic PE information: section name: biyvevdc entropy: 7.956080074817993
                              Source: 4c7aea0d0a.exe.6.drStatic PE information: section name: biyvevdc entropy: 7.956080074817993
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[2].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017997001\4e48e9ad99.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[3].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017989001\4c7aea0d0a.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile created: C:\Users\user\AppData\Local\Temp\RIZ8QT1S0BQ20WD7KBBS21.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017992001\e7bd366d99.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[4].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[4].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017996001\9c5dc2c478.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017986001\5dfec4fe99.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017993001\718f24a5dc.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeFile created: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[5].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017998001\ab2f510d23.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017987001\7bbff7a3a2.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017985001\1e467b8b46.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[5].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017988001\2dc416cfa5.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017995001\8d966c471d.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017991001\617d9fb7ad.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017983001\f71e300ff9.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017999001\daaacc90a2.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exeJump to dropped file
                              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017994001\98679d2b4b.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[4].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile created: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile created: C:\Users\user\AppData\Local\Temp\WHQUF4KURLOTATA7WCHH.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile created: C:\Users\user\AppData\Local\Temp\TYUE4E8K2GIAZ6KSY1ZAXK0WL48NIVF.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeFile created: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile created: C:\Users\user\AppData\Local\Temp\DFAWHTB6ZKNPCDBIS7.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file

                              Boot Survival

                              barindex
                              Creates multiple autostart registry keys
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4e48e9ad99.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2fc1eb1411.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 128703c003.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8a13e339a3.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8d966c471d.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9c5dc2c478.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7ccdd68f3b.exeJump to behavior
                              Monitors registry run keys for changes
                              Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonClassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: FilemonclassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow searched: window name: RegmonclassJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeWindow searched: window name: RegmonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeWindow searched: window name: Regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeWindow searched: window name: Filemonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeWindow searched: window name: Regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: RegmonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: Regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: RegmonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: Regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: Filemonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: RegmonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: Regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: Filemonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: Regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: RegmonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: Regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: Filemonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: RegmonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: Regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: Filemonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: Regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: RegmonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: Regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: Filemonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: RegmonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: FilemonClass
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                              Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
                              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 128703c003.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 128703c003.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8a13e339a3.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8a13e339a3.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7ccdd68f3b.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7ccdd68f3b.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2fc1eb1411.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2fc1eb1411.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8d966c471d.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8d966c471d.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9c5dc2c478.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9c5dc2c478.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4e48e9ad99.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4e48e9ad99.exeJump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Loading BitLocker PowerShell Module
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_2-9724
                              Query firmware table information (likely to detect VMs)
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeSystem information queried: FirmwareTableInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSystem information queried: FirmwareTableInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSystem information queried: FirmwareTableInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSystem information queried: FirmwareTableInformation
                              Tries to detect sandboxes / dynamic malware analysis system (registry check)
                              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                              Source: 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000000.3043744464.000000000041F000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: %HSWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION
                              Tries to detect virtualization through RDTSC time measurements
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF78C second address: FFF792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF792 second address: FFF79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE94C2 second address: FE94D5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7085255316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop ebx 0x00000013 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE94D5 second address: FE94DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE94DB second address: FE94DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE94DF second address: FE94E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE94E3 second address: FE9510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7085255325h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F708525531Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFECE2 second address: FFECE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFECE8 second address: FFED0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jns 00007F7085255316h 0x0000000c pop edx 0x0000000d jmp 00007F708525531Fh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFED0F second address: FFED15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFED15 second address: FFED2F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F7085255324h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF035 second address: FFF03B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002AE7 second address: 1002B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F708525531Dh 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 jng 00007F7085255324h 0x00000016 pushad 0x00000017 jnp 00007F7085255316h 0x0000001d jne 00007F7085255316h 0x00000023 popad 0x00000024 mov eax, dword ptr [esp+04h] 0x00000028 pushad 0x00000029 jmp 00007F7085255321h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 pop eax 0x00000032 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002C02 second address: 1002C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002C0C second address: 1002C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xor dword ptr [esp], 2EB13027h 0x0000000d mov ecx, dword ptr [ebp+122D2C8Eh] 0x00000013 push 00000003h 0x00000015 or ecx, 673BD2AAh 0x0000001b push 00000000h 0x0000001d mov ch, bh 0x0000001f push 00000003h 0x00000021 mov ecx, dword ptr [ebp+122D1C8Eh] 0x00000027 call 00007F7085255319h 0x0000002c jmp 00007F7085255326h 0x00000031 push eax 0x00000032 push edi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002C58 second address: 1002C7D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7084E7CE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7084E7CE44h 0x00000016 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002C7D second address: 1002C83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002C83 second address: 1002C9B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7084E7CE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F7084E7CE38h 0x00000016 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002C9B second address: 1002CA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002CA2 second address: 1002CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c jp 00007F7084E7CE3Ch 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002D4B second address: 1002D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002ECA second address: 1002ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002ECE second address: 1002EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007F708525531Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7085255326h 0x00000016 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002EFB second address: 1002FCA instructions: 0x00000000 rdtsc 0x00000002 js 00007F7084E7CE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c and edx, dword ptr [ebp+122D2C8Eh] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F7084E7CE38h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push A1483D9Bh 0x00000033 push esi 0x00000034 jmp 00007F7084E7CE49h 0x00000039 pop esi 0x0000003a add dword ptr [esp], 5EB7C2E5h 0x00000041 jmp 00007F7084E7CE3Dh 0x00000046 mov ecx, dword ptr [ebp+122D2ED2h] 0x0000004c push 00000003h 0x0000004e pushad 0x0000004f sub dword ptr [ebp+122D3509h], edx 0x00000055 mov ecx, dword ptr [ebp+122D2CD2h] 0x0000005b popad 0x0000005c call 00007F7084E7CE3Ah 0x00000061 xor dword ptr [ebp+122D3518h], esi 0x00000067 pop edi 0x00000068 push 00000000h 0x0000006a jmp 00007F7084E7CE3Eh 0x0000006f push 00000003h 0x00000071 mov ecx, dword ptr [ebp+122D1C3Ch] 0x00000077 stc 0x00000078 call 00007F7084E7CE39h 0x0000007d pushad 0x0000007e jmp 00007F7084E7CE43h 0x00000083 push eax 0x00000084 push edx 0x00000085 jmp 00007F7084E7CE3Bh 0x0000008a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002FCA second address: 1002FCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002FCE second address: 1002FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F7084E7CE44h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002FF3 second address: 1002FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1002FF8 second address: 1003068 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jnl 00007F7084E7CE4Eh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 ja 00007F7084E7CE3Ah 0x0000001b push esi 0x0000001c pushad 0x0000001d popad 0x0000001e pop esi 0x0000001f pop eax 0x00000020 add dword ptr [ebp+122D3A49h], eax 0x00000026 lea ebx, dword ptr [ebp+12457A76h] 0x0000002c mov dword ptr [ebp+122D366Bh], ebx 0x00000032 jnc 00007F7084E7CE38h 0x00000038 mov dl, 0Eh 0x0000003a push eax 0x0000003b js 00007F7084E7CE49h 0x00000041 pushad 0x00000042 jmp 00007F7084E7CE3Bh 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022BD5 second address: 1022BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F7085255326h 0x0000000b jmp 00007F7085255320h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020A34 second address: 1020A3E instructions: 0x00000000 rdtsc 0x00000002 je 00007F7084E7CE36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020C0B second address: 1020C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020C0F second address: 1020C13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020E9A second address: 1020E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020E9F second address: 1020EBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7084E7CE48h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102102B second address: 1021031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021031 second address: 1021036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10211CF second address: 10211D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10211D3 second address: 10211D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102149B second address: 10214B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255321h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10214B6 second address: 10214C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7084E7CE36h 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10214C0 second address: 10214C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021634 second address: 1021648 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE40h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021A7C second address: 1021A9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7085255326h 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1021BDB second address: 1021C16 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7084E7CE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F7084E7CE3Bh 0x00000012 pop ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 jmp 00007F7084E7CE47h 0x0000001a pushad 0x0000001b jng 00007F7084E7CE36h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022365 second address: 1022369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022369 second address: 102237D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7084E7CE3Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022A7A second address: 1022A84 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7085255316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1024FA4 second address: 1024FA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1024FA8 second address: 1024FBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F7085255316h 0x00000012 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1024FBA second address: 1024FC4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7084E7CE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025FFA second address: 102602E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [eax] 0x00000006 jno 00007F708525532Dh 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F708525531Bh 0x00000017 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E03B second address: 102E03F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E73F second address: 102E743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E743 second address: 102E74D instructions: 0x00000000 rdtsc 0x00000002 je 00007F7084E7CE36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E74D second address: 102E75D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 je 00007F7085255324h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E75D second address: 102E763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E8AC second address: 102E8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7085255326h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E8C8 second address: 102E8D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7084E7CE36h 0x0000000a popad 0x0000000b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E8D3 second address: 102E8D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E8D9 second address: 102E8FD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7084E7CE36h 0x00000008 jmp 00007F7084E7CE47h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102FC31 second address: 102FC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102FDE9 second address: 102FDF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F7084E7CE36h 0x0000000e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102FF25 second address: 102FF2F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F708525531Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030104 second address: 1030108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030108 second address: 103010E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10303D3 second address: 10303DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103091E second address: 103093D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255327h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030D9C second address: 1030DA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030DA2 second address: 1030DAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F7085255316h 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030DAC second address: 1030DB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030DB0 second address: 1030DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030DBF second address: 1030DF6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F7084E7CE38h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 add edi, 22EC1BF0h 0x00000029 push eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d push esi 0x0000002e pop esi 0x0000002f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030DF6 second address: 1030DFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1031DD0 second address: 1031DE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7084E7CE44h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1031DE8 second address: 1031DFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 je 00007F708525531Eh 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032E63 second address: 1032E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7084E7CE36h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032E72 second address: 1032E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032E76 second address: 1032E84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop esi 0x0000000e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10338D0 second address: 1033926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F7085255318h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D260Eh], eax 0x0000002d push 00000000h 0x0000002f or dword ptr [ebp+122D25DCh], eax 0x00000035 push 00000000h 0x00000037 jne 00007F7085255316h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push esi 0x00000041 jmp 00007F7085255321h 0x00000046 pop esi 0x00000047 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033674 second address: 103368D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7084E7CE44h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034DCC second address: 1034DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F7085255316h 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034B56 second address: 1034B7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F7084E7CE36h 0x00000009 jmp 00007F7084E7CE3Fh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 js 00007F7084E7CE40h 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034DD6 second address: 1034E10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b add dword ptr [ebp+122D3541h], esi 0x00000011 push 00000000h 0x00000013 mov si, ax 0x00000016 push 00000000h 0x00000018 jmp 00007F7085255324h 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 pop edx 0x00000023 jc 00007F708525531Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10357A8 second address: 10357AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10357AE second address: 10357B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103552C second address: 1035531 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1035531 second address: 1035537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103623C second address: 1036240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036240 second address: 103629E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F7085255321h 0x0000000e mov esi, dword ptr [ebp+122D2E4Eh] 0x00000014 push 00000000h 0x00000016 mov edi, 14B8FC8Ah 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007F7085255318h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 jmp 00007F708525531Bh 0x0000003c push eax 0x0000003d js 00007F7085255324h 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103629E second address: 10362A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A12E second address: 103A138 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F708525531Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A138 second address: 103A15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D2A5Eh], edx 0x0000000f push 00000000h 0x00000011 mov edi, dword ptr [ebp+122D33FEh] 0x00000017 push 00000000h 0x00000019 mov ebx, dword ptr [ebp+12483AD7h] 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push edx 0x00000023 push esi 0x00000024 pop esi 0x00000025 pop edx 0x00000026 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B130 second address: 103B134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B134 second address: 103B142 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7084E7CE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A2DF second address: 103A2E9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7085255316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A2E9 second address: 103A2EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A2EF second address: 103A2F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B33A second address: 103B3B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, ecx 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov dword ptr [ebp+124849DBh], esi 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F7084E7CE38h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a add bx, 3752h 0x0000003f mov bl, E8h 0x00000041 mov edi, dword ptr [ebp+122D1C37h] 0x00000047 mov eax, dword ptr [ebp+122D00C1h] 0x0000004d mov edi, dword ptr [ebp+122D1EC7h] 0x00000053 push FFFFFFFFh 0x00000055 mov bx, cx 0x00000058 nop 0x00000059 jne 00007F7084E7CE42h 0x0000005f push eax 0x00000060 pushad 0x00000061 pushad 0x00000062 pushad 0x00000063 popad 0x00000064 push edx 0x00000065 pop edx 0x00000066 popad 0x00000067 push eax 0x00000068 push edx 0x00000069 jc 00007F7084E7CE36h 0x0000006f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C21E second address: 103C2DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7085255329h 0x00000009 popad 0x0000000a pushad 0x0000000b jne 00007F7085255316h 0x00000011 jno 00007F7085255316h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a jp 00007F708525532Ch 0x00000020 nop 0x00000021 je 00007F708525531Ch 0x00000027 mov edi, dword ptr [ebp+122D32BAh] 0x0000002d adc bl, FFFFFF83h 0x00000030 push dword ptr fs:[00000000h] 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007F7085255318h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 mov ebx, dword ptr [ebp+122D2F56h] 0x00000057 mov ebx, dword ptr [ebp+122D2E7Eh] 0x0000005d mov dword ptr [ebp+1247BC3Dh], ebx 0x00000063 mov dword ptr fs:[00000000h], esp 0x0000006a jnp 00007F7085255318h 0x00000070 mov ebx, eax 0x00000072 mov eax, dword ptr [ebp+122D10B9h] 0x00000078 mov edi, 2FD24F22h 0x0000007d push FFFFFFFFh 0x0000007f mov edi, dword ptr [ebp+122D3165h] 0x00000085 nop 0x00000086 jng 00007F7085255324h 0x0000008c push eax 0x0000008d push edx 0x0000008e push edx 0x0000008f pop edx 0x00000090 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C2DC second address: 103C2E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DFFA second address: 103E01F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F708525531Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7085255322h 0x00000012 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103E325 second address: 103E345 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F7084E7CE36h 0x00000009 jmp 00007F7084E7CE3Eh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103E345 second address: 103E349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103E349 second address: 103E379 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7084E7CE44h 0x00000010 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F235 second address: 103F24C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7085255323h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F24C second address: 103F250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103F250 second address: 103F26A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F708525531Fh 0x00000010 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104020A second address: 1040214 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7084E7CE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104307B second address: 1043080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043080 second address: 1043092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7084E7CE36h 0x0000000a jnp 00007F7084E7CE36h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043092 second address: 10430A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F7085255316h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10430A1 second address: 10430A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043675 second address: 1043679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044692 second address: 10446F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 sub dword ptr [ebp+122D3179h], esi 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F7084E7CE38h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a or dword ptr [ebp+122D3154h], edi 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F7084E7CE38h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 0000001Bh 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c mov ebx, ecx 0x0000004e mov di, dx 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10446F6 second address: 10446FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10446FA second address: 10446FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10446FE second address: 1044704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104565C second address: 1045661 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043863 second address: 1043874 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1046939 second address: 104693E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043874 second address: 10438FB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007F7085255316h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov bx, ax 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov edi, 0B6CE88Eh 0x0000001e jng 00007F708525531Dh 0x00000024 jns 00007F7085255317h 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 sub dword ptr [ebp+122D377Dh], esi 0x00000037 mov eax, dword ptr [ebp+122D03B5h] 0x0000003d call 00007F7085255320h 0x00000042 mov ebx, dword ptr [ebp+122D3735h] 0x00000048 pop edi 0x00000049 push FFFFFFFFh 0x0000004b push edi 0x0000004c mov dword ptr [ebp+122D1D8Eh], edi 0x00000052 pop ebx 0x00000053 or edi, dword ptr [ebp+122D2EAAh] 0x00000059 nop 0x0000005a jmp 00007F7085255326h 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jbe 00007F7085255318h 0x00000068 push ebx 0x00000069 pop ebx 0x0000006a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10486F6 second address: 1048705 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7084E7CE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104783A second address: 1047844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F7085255316h 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104A5B2 second address: 104A5BC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7084E7CE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10497C9 second address: 10497CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104C744 second address: 104C762 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7084E7CE38h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7084E7CE40h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF35D1 second address: FF35E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F7085255316h 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF35E0 second address: FF35FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7084E7CE3Dh 0x0000000e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF35FC second address: FF3604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3604 second address: FF3608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE795E second address: FE7966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE7966 second address: FE799D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE48h 0x00000007 jmp 00007F7084E7CE45h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10556FA second address: 10556FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10556FF second address: 1055705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055705 second address: 1055711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055711 second address: 105571E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jbe 00007F7084E7CE47h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105571E second address: 105572D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F708525531Bh 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105587D second address: 1055883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055883 second address: 105588D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7085255316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105AE49 second address: 105AE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105AE4D second address: 105AE5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105AE5E second address: 105AE63 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105AF26 second address: 105AF2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106016B second address: 1060171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060171 second address: 1060175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060789 second address: 106078D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106078D second address: 1060795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060A40 second address: 1060A44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060A44 second address: 1060A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7085255325h 0x0000000d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060B9A second address: 1060BB3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F7084E7CE43h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F7084E7CE3Bh 0x00000013 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060D03 second address: 1060D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7085255316h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F708525531Ah 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F7085255328h 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e jmp 00007F7085255327h 0x00000023 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060D50 second address: 1060D56 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060D56 second address: 1060D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060D5C second address: 1060D62 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060EBB second address: 1060EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1060EBF second address: 1060EE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F7084E7CE48h 0x0000000c jmp 00007F7084E7CE42h 0x00000011 pop eax 0x00000012 pushad 0x00000013 push ecx 0x00000014 jng 00007F7084E7CE36h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066EE3 second address: 1066F05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7085255328h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066F05 second address: 1066F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1065B60 second address: 1065B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1065B65 second address: 1065B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1065B6B second address: 1065B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1065CF2 second address: 1065CFF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007F7084E7CE36h 0x00000009 pop ecx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066283 second address: 1066299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255322h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10663F9 second address: 1066422 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7084E7CE47h 0x00000008 jmp 00007F7084E7CE3Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066422 second address: 1066432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 jc 00007F708525531Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106658F second address: 1066595 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066595 second address: 10665A2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7085255318h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066758 second address: 106675C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10668B5 second address: 10668B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10668B9 second address: 10668BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA0CA second address: FFA0D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jne 00007F7085255316h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA0D8 second address: FFA0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D388 second address: 106D3A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255325h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D3A1 second address: 106D3A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D3A9 second address: 106D3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D3AD second address: 106D3B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071A8C second address: 1071A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071A90 second address: 1071A95 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071A95 second address: 1071AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jmp 00007F7085255322h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071D0B second address: 1071D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071FEA second address: 1071FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072120 second address: 1072124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072124 second address: 1072146 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7085255316h 0x00000008 jmp 00007F7085255323h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072146 second address: 107214C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10717A5 second address: 10717B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072571 second address: 1072586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jns 00007F7084E7CE36h 0x0000000c pushad 0x0000000d popad 0x0000000e jo 00007F7084E7CE36h 0x00000014 popad 0x00000015 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072586 second address: 1072592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F7085255316h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072592 second address: 1072596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072596 second address: 107259C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10372C5 second address: 1037340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F7084E7CE38h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 movzx edi, cx 0x0000002a lea eax, dword ptr [ebp+1248C06Bh] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F7084E7CE38h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a mov ecx, dword ptr [ebp+122D2EBEh] 0x00000050 nop 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F7084E7CE3Dh 0x0000005a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037340 second address: 1037346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037346 second address: 103734C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103734C second address: 1037350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037350 second address: 1037354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037354 second address: 1015F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a jnl 00007F708525532Ah 0x00000010 pop ecx 0x00000011 nop 0x00000012 adc ecx, 5950DCCEh 0x00000018 call dword ptr [ebp+122D3883h] 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 jmp 00007F7085255325h 0x00000026 jne 00007F7085255316h 0x0000002c pop ebx 0x0000002d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10376BC second address: 10376D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10376D5 second address: 10376F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F7085255324h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10376F8 second address: 1037702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F7084E7CE36h 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037702 second address: 1037706 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10378C0 second address: 10378C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10378C4 second address: 10378FD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 ja 00007F7085255323h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jmp 00007F7085255323h 0x0000001d popad 0x0000001e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10378FD second address: 1037925 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7084E7CE3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b cld 0x0000000c call 00007F7084E7CE39h 0x00000011 push esi 0x00000012 push esi 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pushad 0x0000001c popad 0x0000001d pop esi 0x0000001e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037925 second address: 1037964 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7085255323h 0x00000008 jmp 00007F708525531Dh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 jne 00007F708525531Ch 0x0000001b pop eax 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037964 second address: 1037969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037A6A second address: 1037A80 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F7085255316h 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037BB7 second address: 1037BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037E01 second address: 1037E1F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F7085255320h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037E1F second address: 1037E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038289 second address: 10382D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 0000001Eh 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F7085255318h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 and ecx, dword ptr [ebp+122D2F42h] 0x0000002b call 00007F7085255322h 0x00000030 cmc 0x00000031 pop edi 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10383C1 second address: 10383C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10383C7 second address: 10383CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10383CC second address: 10383D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1038696 second address: 10386AD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F708525531Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop edx 0x00000011 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10386AD second address: 10386BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7084E7CE3Bh 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10386BC second address: 10386E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 or ecx, dword ptr [ebp+122D3500h] 0x0000000f lea eax, dword ptr [ebp+1248C06Bh] 0x00000015 mov edi, dword ptr [ebp+122D3518h] 0x0000001b jmp 00007F708525531Ah 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10386E7 second address: 10386F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7084E7CE36h 0x0000000a popad 0x0000000b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076514 second address: 107651A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076690 second address: 107669C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7084E7CE36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107669C second address: 10766E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F708525531Ch 0x0000000b jc 00007F7085255316h 0x00000011 jnl 00007F7085255316h 0x00000017 popad 0x00000018 push eax 0x00000019 jc 00007F7085255316h 0x0000001f pop eax 0x00000020 popad 0x00000021 pushad 0x00000022 jns 00007F7085255318h 0x00000028 jmp 00007F7085255320h 0x0000002d push eax 0x0000002e push edx 0x0000002f push ecx 0x00000030 pop ecx 0x00000031 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10766E1 second address: 10766E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10766E5 second address: 1076700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F708525531Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F7085255316h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10769A9 second address: 10769AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076C34 second address: 1076C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7085255328h 0x00000009 pop edi 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076D98 second address: 1076DB0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F7084E7CE42h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1076DB0 second address: 1076DBA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F708525531Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107C183 second address: 107C189 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B9EA second address: 107B9F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BE7F second address: 107BE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7084E7CE40h 0x00000009 popad 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BE94 second address: 107BE9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BE9A second address: 107BE9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E316 second address: 107E31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E31A second address: 107E320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E320 second address: 107E335 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7085255318h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F7085255348h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10829E8 second address: 10829EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10829EC second address: 10829F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082B81 second address: 1082B87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082FE5 second address: 1082FEF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7085255316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082FEF second address: 1082FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F7084E7CE3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083125 second address: 1083149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F708525531Eh 0x0000000d jmp 00007F708525531Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083149 second address: 1083151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083151 second address: 1083161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F708525532Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083161 second address: 1083175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7084E7CE40h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083175 second address: 108317D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108317D second address: 1083181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083181 second address: 1083185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084C61 second address: 1084C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1084C6A second address: 1084C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7085255326h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10890BA second address: 10890C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10890C0 second address: 1089107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F7085255327h 0x0000000d pop esi 0x0000000e jmp 00007F7085255326h 0x00000013 popad 0x00000014 pushad 0x00000015 jns 00007F708525531Ch 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089107 second address: 1089114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103807D second address: 1038081 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089A7D second address: 1089A81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E536 second address: 108E53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E53C second address: 108E542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E542 second address: 108E55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7085255323h 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E55D second address: 108E567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E567 second address: 108E572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7085255316h 0x0000000a pop eax 0x0000000b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DE95 second address: 108DE99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DE99 second address: 108DECB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255322h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F7085255318h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F708525531Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DECB second address: 108DED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DED1 second address: 108DED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DED6 second address: 108DEFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F7084E7CE36h 0x00000009 jmp 00007F7084E7CE49h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DEFA second address: 108DF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E1F5 second address: 108E23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007F7084E7CE36h 0x00000010 popad 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 jo 00007F7084E7CE36h 0x0000001a pop edi 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F7084E7CE44h 0x00000023 jmp 00007F7084E7CE48h 0x00000028 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E23F second address: 108E248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108E248 second address: 108E261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F7084E7CE41h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094AEB second address: 1094AF6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jne 00007F7085255316h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1094D9B second address: 1094DDA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7084E7CE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F7084E7CE3Dh 0x00000010 push edi 0x00000011 pop edi 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 popad 0x00000016 push ebx 0x00000017 pushad 0x00000018 jns 00007F7084E7CE36h 0x0000001e jmp 00007F7084E7CE47h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10956BD second address: 10956C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10956C1 second address: 10956C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10962E6 second address: 1096309 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Ch 0x00000007 pushad 0x00000008 jmp 00007F708525531Ch 0x0000000d jg 00007F7085255316h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1096309 second address: 1096329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7084E7CE44h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1096329 second address: 1096332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1096332 second address: 1096338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1096338 second address: 109633C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109633C second address: 1096342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A8A6 second address: 109A8ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7085255326h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F7085255320h 0x00000014 jmp 00007F7085255325h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099AA9 second address: 1099AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099C27 second address: 1099C2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099DC2 second address: 1099DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099DC8 second address: 1099DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099EF7 second address: 1099EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A429 second address: 109A42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6E7E second address: 10A6EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7084E7CE46h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push esi 0x0000000d jne 00007F7084E7CE36h 0x00000013 pop esi 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7084E7CE48h 0x0000001c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6EBE second address: 10A6ECA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F708525531Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A6ECA second address: 10A6EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007F7084E7CE3Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A50CC second address: 10A50F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 pushad 0x00000008 jns 00007F7085255316h 0x0000000e jmp 00007F7085255329h 0x00000013 popad 0x00000014 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A50F4 second address: 10A510A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7084E7CE42h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A554F second address: 10A5553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A567E second address: 10A568A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F7084E7CE36h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A5807 second address: 10A580D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A65B3 second address: 10A65B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A65B9 second address: 10A65BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A932D second address: 10A9340 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7084E7CE38h 0x00000008 push edx 0x00000009 ja 00007F7084E7CE36h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF9FB second address: 10AFA0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F708525531Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFA0D second address: 10AFA20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7084E7CE3Ah 0x0000000e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFB54 second address: 10AFB72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F7085255322h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2E58 second address: 10B2E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F7084E7CE38h 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e jmp 00007F7084E7CE48h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BE864 second address: 10BE868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BE9A2 second address: 10BE9EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007F7084E7CE36h 0x0000000b jmp 00007F7084E7CE3Ch 0x00000010 jmp 00007F7084E7CE43h 0x00000015 popad 0x00000016 jg 00007F7084E7CE42h 0x0000001c jmp 00007F7084E7CE3Ah 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 popad 0x00000024 jnp 00007F7084E7CE51h 0x0000002a ja 00007F7084E7CE3Ch 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C3ACB second address: 10C3AD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C3AD1 second address: 10C3ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C3ADB second address: 10C3AED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDE51 second address: 10CDE57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDE57 second address: 10CDE5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DA604 second address: 10DA60E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F7084E7CE36h 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DB395 second address: 10DB3B1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7085255316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007F7085255316h 0x00000011 je 00007F7085255316h 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DF0F5 second address: 10DF0F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DF0F9 second address: 10DF10E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F708525531Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DF10E second address: 10DF112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F1F82 second address: 10F1F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7085255328h 0x00000009 pop edi 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F1F9F second address: 10F1FA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F1FA4 second address: 10F1FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F1DEB second address: 10F1DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F1DEF second address: 10F1DFF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7085255316h 0x00000008 jnc 00007F7085255316h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E940E second address: 10E9418 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7084E7CE36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E9418 second address: 10E9434 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7085255318h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jp 00007F7085255316h 0x00000012 jbe 00007F7085255316h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1118FCA second address: 1118FCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11183F7 second address: 11183FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11183FC second address: 1118402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1118402 second address: 1118408 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1118408 second address: 111842A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007F7084E7CE3Ch 0x0000000f jng 00007F7084E7CE36h 0x00000015 pushad 0x00000016 js 00007F7084E7CE36h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111842A second address: 1118430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A65D second address: 111A663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A663 second address: 111A667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A667 second address: 111A673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A673 second address: 111A67C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111A67C second address: 111A682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111EA57 second address: 111EAA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F708525531Ch 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F7085255318h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push edi 0x00000027 mov dx, di 0x0000002a pop edx 0x0000002b clc 0x0000002c push 00000004h 0x0000002e mov dword ptr [ebp+12483491h], ecx 0x00000034 push EF2AA09Ah 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c jo 00007F7085255316h 0x00000042 push eax 0x00000043 pop eax 0x00000044 popad 0x00000045 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11201F9 second address: 1120216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7084E7CE49h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1120216 second address: 112021A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112021A second address: 1120246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7084E7CE3Eh 0x0000000c jnp 00007F7084E7CE3Ch 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jc 00007F7084E7CE36h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4960152 second address: 4960170 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c mov ebx, 44A47726h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 mov cx, 08B9h 0x00000018 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4950008 second address: 495000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 495000E second address: 4950014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4950014 second address: 49500B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F7084E7CE48h 0x0000000f mov ax, C881h 0x00000013 popad 0x00000014 mov dword ptr [esp], ebp 0x00000017 pushad 0x00000018 mov cx, 06B9h 0x0000001c call 00007F7084E7CE46h 0x00000021 pushfd 0x00000022 jmp 00007F7084E7CE42h 0x00000027 sub eax, 0A3CA9F8h 0x0000002d jmp 00007F7084E7CE3Bh 0x00000032 popfd 0x00000033 pop eax 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 pushad 0x00000038 mov eax, edx 0x0000003a movsx ebx, ax 0x0000003d popad 0x0000003e pop ebp 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov di, 8458h 0x00000046 pushfd 0x00000047 jmp 00007F7084E7CE41h 0x0000004c jmp 00007F7084E7CE3Bh 0x00000051 popfd 0x00000052 popad 0x00000053 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980DF6 second address: 4980E11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255327h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980E11 second address: 4980E25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 mov bh, EEh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov esi, 2FA51525h 0x00000014 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980E25 second address: 4980E43 instructions: 0x00000000 rdtsc 0x00000002 mov ax, DEA1h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F708525531Eh 0x0000000d popad 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980E43 second address: 4980E49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980E49 second address: 4980E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980E4F second address: 4980E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920144 second address: 4920148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920148 second address: 492014E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 492014E second address: 4920155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, ah 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920155 second address: 4920175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push dword ptr [ebp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7084E7CE44h 0x00000011 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920175 second address: 49201BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F708525531Bh 0x00000015 adc ecx, 7F3D8F9Eh 0x0000001b jmp 00007F7085255329h 0x00000020 popfd 0x00000021 mov si, AF67h 0x00000025 popad 0x00000026 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49201F1 second address: 49201F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49201F5 second address: 49201F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49201F9 second address: 49201FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49201FF second address: 4920205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920205 second address: 4920209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940C54 second address: 4940CE4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F708525531Bh 0x00000008 adc ecx, 27DA3A1Eh 0x0000000e jmp 00007F7085255329h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a pushad 0x0000001b pushad 0x0000001c mov ax, BD39h 0x00000020 jmp 00007F7085255326h 0x00000025 popad 0x00000026 pushfd 0x00000027 jmp 00007F7085255322h 0x0000002c add ecx, 2CC7FA78h 0x00000032 jmp 00007F708525531Bh 0x00000037 popfd 0x00000038 popad 0x00000039 mov ebp, esp 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F7085255325h 0x00000042 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49407F7 second address: 49407FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49407FD second address: 4940801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940801 second address: 4940805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940805 second address: 4940814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940814 second address: 4940818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940818 second address: 494081E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 494081E second address: 4940843 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7084E7CE48h 0x00000012 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940843 second address: 4940847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940847 second address: 494084D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 494084D second address: 494089E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F708525531Eh 0x00000012 jmp 00007F7085255325h 0x00000017 popfd 0x00000018 movzx esi, di 0x0000001b popad 0x0000001c pop ebp 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F708525531Fh 0x00000025 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 494089E second address: 49408A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49406CB second address: 49406D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49406D1 second address: 4940794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 3964B9C8h 0x00000008 jmp 00007F7084E7CE41h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F7084E7CE3Eh 0x00000016 push eax 0x00000017 pushad 0x00000018 mov di, 72D4h 0x0000001c jmp 00007F7084E7CE3Dh 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F7084E7CE3Eh 0x00000028 mov ebp, esp 0x0000002a pushad 0x0000002b mov al, 2Dh 0x0000002d pushfd 0x0000002e jmp 00007F7084E7CE43h 0x00000033 adc ecx, 333ABACEh 0x00000039 jmp 00007F7084E7CE49h 0x0000003e popfd 0x0000003f popad 0x00000040 pop ebp 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007F7084E7CE43h 0x0000004a sbb ax, 88DEh 0x0000004f jmp 00007F7084E7CE49h 0x00000054 popfd 0x00000055 mov bx, cx 0x00000058 popad 0x00000059 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940794 second address: 494079A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 494079A second address: 494079E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 494079E second address: 49407A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940444 second address: 4940457 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940457 second address: 49404AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushfd 0x00000010 jmp 00007F7085255329h 0x00000015 adc ecx, 0AF43CE6h 0x0000001b jmp 00007F7085255321h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49404AD second address: 49404F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7084E7CE47h 0x00000009 jmp 00007F7084E7CE43h 0x0000000e popfd 0x0000000f movzx ecx, bx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 pushad 0x00000017 mov ecx, 2C37DDE7h 0x0000001c mov di, ax 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 mov ebx, ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 mov ax, 82ADh 0x0000002a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49404F7 second address: 4940530 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F7085255321h 0x00000013 sub ax, 3FB6h 0x00000018 jmp 00007F7085255321h 0x0000001d popfd 0x0000001e mov ebx, esi 0x00000020 popad 0x00000021 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940530 second address: 4940538 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980CEC second address: 4980CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980CF2 second address: 4980CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980CF6 second address: 4980D22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7085255327h 0x00000013 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980D22 second address: 4980D6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ebx, 2B761668h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F7084E7CE43h 0x00000017 and eax, 7E4449AEh 0x0000001d jmp 00007F7084E7CE49h 0x00000022 popfd 0x00000023 mov ah, 66h 0x00000025 popad 0x00000026 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980D6A second address: 4980DA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, eax 0x0000000d jmp 00007F708525531Ah 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7085255327h 0x0000001c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496047B second address: 496047F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496047F second address: 4960485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4960485 second address: 49604B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7084E7CE3Ah 0x00000008 mov bx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7084E7CE46h 0x00000018 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49604B3 second address: 49604B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49604B9 second address: 49604CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7084E7CE3Dh 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49604CA second address: 49604E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7085255323h 0x00000010 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49604E8 second address: 4960556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b popad 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F7084E7CE3Bh 0x00000015 sub al, FFFFFF9Eh 0x00000018 jmp 00007F7084E7CE49h 0x0000001d popfd 0x0000001e mov dx, cx 0x00000021 popad 0x00000022 mov eax, dword ptr [ebp+08h] 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F7084E7CE49h 0x0000002c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4960556 second address: 496059D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F7085255323h 0x00000015 jmp 00007F7085255323h 0x0000001a popfd 0x0000001b movzx esi, bx 0x0000001e popad 0x0000001f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 494063B second address: 4940641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940641 second address: 4940680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov bh, cl 0x0000000c mov dh, 0Ah 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F708525531Dh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov ax, F843h 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e jmp 00007F7085255322h 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940680 second address: 4940684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4940684 second address: 494068A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496006A second address: 4960070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4960070 second address: 4960074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4960074 second address: 4960096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F7084E7CE42h 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4960096 second address: 496009A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496009A second address: 496009E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496009E second address: 49600A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49600A4 second address: 49600AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49600AA second address: 49600AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49600AE second address: 49600D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov al, 2Ah 0x00000010 mov edx, 380FCF7Eh 0x00000015 popad 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49600D4 second address: 49600D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49600D8 second address: 49600DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496028C second address: 4960292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4960292 second address: 4960296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4960296 second address: 49602C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255323h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7085255320h 0x00000015 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49602C4 second address: 49602C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49602C8 second address: 49602CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49602CE second address: 49602DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7084E7CE3Dh 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49602DF second address: 49602F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov cx, E3C5h 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49602F5 second address: 49602F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49602F9 second address: 49602FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49602FD second address: 4960303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4960303 second address: 4960312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F708525531Bh 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498062E second address: 4980650 instructions: 0x00000000 rdtsc 0x00000002 mov bh, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7084E7CE46h 0x00000011 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980650 second address: 4980656 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980656 second address: 4980693 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bl, EEh 0x00000011 pushfd 0x00000012 jmp 00007F7084E7CE48h 0x00000017 adc esi, 74D37C58h 0x0000001d jmp 00007F7084E7CE3Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980693 second address: 49806AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7085255324h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49806AB second address: 49806AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49806AF second address: 49806FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov di, F4D0h 0x0000000f pushfd 0x00000010 jmp 00007F7085255329h 0x00000015 jmp 00007F708525531Bh 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ecx 0x0000001d pushad 0x0000001e movzx eax, dx 0x00000021 mov dx, F8F4h 0x00000025 popad 0x00000026 push eax 0x00000027 pushad 0x00000028 pushad 0x00000029 mov esi, 05269DD5h 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49806FD second address: 4980767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ecx 0x00000007 jmp 00007F7084E7CE46h 0x0000000c mov eax, dword ptr [76FA65FCh] 0x00000011 jmp 00007F7084E7CE40h 0x00000016 test eax, eax 0x00000018 jmp 00007F7084E7CE40h 0x0000001d je 00007F70F742005Bh 0x00000023 jmp 00007F7084E7CE40h 0x00000028 mov ecx, eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F7084E7CE3Ah 0x00000033 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980767 second address: 498076B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498076B second address: 4980771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980771 second address: 4980800 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov di, D812h 0x00000011 mov edx, 27FD635Eh 0x00000016 popad 0x00000017 and ecx, 1Fh 0x0000001a jmp 00007F7085255325h 0x0000001f ror eax, cl 0x00000021 jmp 00007F708525531Eh 0x00000026 leave 0x00000027 pushad 0x00000028 push ecx 0x00000029 movsx edx, cx 0x0000002c pop ecx 0x0000002d mov bx, 827Ah 0x00000031 popad 0x00000032 retn 0004h 0x00000035 nop 0x00000036 mov esi, eax 0x00000038 lea eax, dword ptr [ebp-08h] 0x0000003b xor esi, dword ptr [00E72014h] 0x00000041 push eax 0x00000042 push eax 0x00000043 push eax 0x00000044 lea eax, dword ptr [ebp-10h] 0x00000047 push eax 0x00000048 call 00007F7088DA5A1Eh 0x0000004d push FFFFFFFEh 0x0000004f pushad 0x00000050 mov bx, E6D2h 0x00000054 push eax 0x00000055 push edx 0x00000056 pushfd 0x00000057 jmp 00007F7085255329h 0x0000005c adc ah, FFFFFFA6h 0x0000005f jmp 00007F7085255321h 0x00000064 popfd 0x00000065 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980800 second address: 4980804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4980804 second address: 49808ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 pushad 0x00000009 call 00007F708525531Ah 0x0000000e push esi 0x0000000f pop ebx 0x00000010 pop esi 0x00000011 jmp 00007F7085255327h 0x00000016 popad 0x00000017 ret 0x00000018 nop 0x00000019 push eax 0x0000001a call 00007F7088DA5A82h 0x0000001f mov edi, edi 0x00000021 pushad 0x00000022 jmp 00007F7085255324h 0x00000027 pushfd 0x00000028 jmp 00007F7085255322h 0x0000002d sub esi, 7A76A808h 0x00000033 jmp 00007F708525531Bh 0x00000038 popfd 0x00000039 popad 0x0000003a xchg eax, ebp 0x0000003b pushad 0x0000003c mov bx, ax 0x0000003f pushfd 0x00000040 jmp 00007F7085255320h 0x00000045 xor ax, CA68h 0x0000004a jmp 00007F708525531Bh 0x0000004f popfd 0x00000050 popad 0x00000051 push eax 0x00000052 jmp 00007F7085255329h 0x00000057 xchg eax, ebp 0x00000058 jmp 00007F708525531Eh 0x0000005d mov ebp, esp 0x0000005f jmp 00007F7085255320h 0x00000064 pop ebp 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F7085255327h 0x0000006c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493001B second address: 4930033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7084E7CE44h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930033 second address: 4930062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F7085255326h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930062 second address: 4930066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930066 second address: 493006A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493006A second address: 4930070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930070 second address: 4930098 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 555B2498h 0x00000008 jmp 00007F7085255321h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 mov edx, 0C51DE0Ch 0x0000001b popad 0x0000001c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930098 second address: 49300AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7084E7CE41h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49300AD second address: 49300BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov bh, 52h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49300BE second address: 49300E3 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 31650317h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a and esp, FFFFFFF8h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7084E7CE44h 0x00000016 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49300E3 second address: 49300F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49300F2 second address: 49300F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49300F8 second address: 49300FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49300FC second address: 493010B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493010B second address: 4930111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930111 second address: 493012E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE40h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493012E second address: 4930132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930132 second address: 4930136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930136 second address: 493013C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493013C second address: 49301D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F7084E7CE3Eh 0x00000011 and cl, FFFFFFD8h 0x00000014 jmp 00007F7084E7CE3Bh 0x00000019 popfd 0x0000001a push esi 0x0000001b mov esi, ebx 0x0000001d pop edx 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 jmp 00007F7084E7CE47h 0x00000026 pushfd 0x00000027 jmp 00007F7084E7CE48h 0x0000002c sub si, B798h 0x00000031 jmp 00007F7084E7CE3Bh 0x00000036 popfd 0x00000037 popad 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F7084E7CE45h 0x00000040 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49301D5 second address: 49301F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx ebx, cx 0x00000012 mov al, BDh 0x00000014 popad 0x00000015 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49301F6 second address: 49301FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49301FB second address: 4930209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930209 second address: 493020F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493020F second address: 4930241 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255328h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F708525531Bh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, dx 0x00000016 mov esi, edi 0x00000018 popad 0x00000019 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930241 second address: 4930247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930247 second address: 493027E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255322h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007F7085255320h 0x00000013 xchg eax, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push edx 0x00000018 pop esi 0x00000019 mov ebx, 476A66ECh 0x0000001e popad 0x0000001f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493027E second address: 49302CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F7084E7CE41h 0x00000011 or cx, AD76h 0x00000016 jmp 00007F7084E7CE41h 0x0000001b popfd 0x0000001c mov cx, B467h 0x00000020 popad 0x00000021 xchg eax, edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49302CB second address: 49302CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49302CF second address: 49302DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49302DE second address: 49302F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7085255324h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49302F6 second address: 4930390 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e mov esi, 195EAA4Bh 0x00000013 jmp 00007F7084E7CE40h 0x00000018 popad 0x00000019 je 00007F70F746B12Bh 0x0000001f jmp 00007F7084E7CE40h 0x00000024 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002b jmp 00007F7084E7CE40h 0x00000030 je 00007F70F746B114h 0x00000036 jmp 00007F7084E7CE40h 0x0000003b mov edx, dword ptr [esi+44h] 0x0000003e pushad 0x0000003f mov bx, cx 0x00000042 pushfd 0x00000043 jmp 00007F7084E7CE3Ah 0x00000048 xor esi, 0F371418h 0x0000004e jmp 00007F7084E7CE3Bh 0x00000053 popfd 0x00000054 popad 0x00000055 or edx, dword ptr [ebp+0Ch] 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930390 second address: 4930397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov al, dh 0x00000006 popad 0x00000007 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930397 second address: 493046F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F7084E7CE44h 0x00000016 or eax, 4FAA98D8h 0x0000001c jmp 00007F7084E7CE3Bh 0x00000021 popfd 0x00000022 mov dl, ch 0x00000024 popad 0x00000025 jne 00007F70F746B0DFh 0x0000002b jmp 00007F7084E7CE3Bh 0x00000030 test byte ptr [esi+48h], 00000001h 0x00000034 pushad 0x00000035 mov ecx, 7CBA339Bh 0x0000003a call 00007F7084E7CE40h 0x0000003f pushfd 0x00000040 jmp 00007F7084E7CE42h 0x00000045 or ah, FFFFFF98h 0x00000048 jmp 00007F7084E7CE3Bh 0x0000004d popfd 0x0000004e pop ecx 0x0000004f popad 0x00000050 jne 00007F70F746B0A9h 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushfd 0x0000005a jmp 00007F7084E7CE47h 0x0000005f or si, CB0Eh 0x00000064 jmp 00007F7084E7CE49h 0x00000069 popfd 0x0000006a popad 0x0000006b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493046F second address: 4930475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930475 second address: 4930479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 492080D second address: 4920811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920811 second address: 4920815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920815 second address: 492081B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 492081B second address: 4920821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920821 second address: 4920859 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255320h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F7085255320h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F708525531Eh 0x00000019 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920859 second address: 49208B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F7084E7CE46h 0x0000000f xchg eax, esi 0x00000010 jmp 00007F7084E7CE40h 0x00000015 push eax 0x00000016 jmp 00007F7084E7CE3Bh 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F7084E7CE45h 0x00000023 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49208B4 second address: 4920905 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, 235D9C3Eh 0x00000014 pushfd 0x00000015 jmp 00007F708525531Fh 0x0000001a add ecx, 374790EEh 0x00000020 jmp 00007F7085255329h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920905 second address: 492090A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 492090A second address: 4920932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, 00000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007F7085255321h 0x00000016 pop eax 0x00000017 mov di, A944h 0x0000001b popad 0x0000001c rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920932 second address: 4920937 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920937 second address: 4920948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov al, 41h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920948 second address: 492094C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 492094C second address: 4920952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920952 second address: 4920958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920958 second address: 49209EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F70F784AD44h 0x0000000e pushad 0x0000000f mov esi, edi 0x00000011 call 00007F7085255325h 0x00000016 mov bx, cx 0x00000019 pop ecx 0x0000001a popad 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 pushad 0x00000023 mov edi, 35E2C59Ch 0x00000028 call 00007F7085255325h 0x0000002d call 00007F7085255320h 0x00000032 pop esi 0x00000033 pop edi 0x00000034 popad 0x00000035 mov ecx, esi 0x00000037 jmp 00007F708525531Eh 0x0000003c je 00007F70F784ACF1h 0x00000042 jmp 00007F7085255320h 0x00000047 test byte ptr [76FA6968h], 00000002h 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49209EB second address: 49209EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49209EF second address: 49209F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49209F5 second address: 4920A77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F70F74727DFh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F7084E7CE3Eh 0x00000016 sub ax, B9D8h 0x0000001b jmp 00007F7084E7CE3Bh 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F7084E7CE48h 0x00000027 sbb ch, 00000038h 0x0000002a jmp 00007F7084E7CE3Bh 0x0000002f popfd 0x00000030 popad 0x00000031 mov edx, dword ptr [ebp+0Ch] 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F7084E7CE45h 0x0000003b rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920A77 second address: 4920AAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F7085255329h 0x00000014 popad 0x00000015 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920AAC second address: 4920AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920AB2 second address: 4920AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920AB6 second address: 4920ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920ABA second address: 4920ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx ebx, cx 0x0000000f mov dx, cx 0x00000012 popad 0x00000013 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920ACD second address: 4920AD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920AD2 second address: 4920AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920AE0 second address: 4920AE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920AE6 second address: 4920AFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7085255321h 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920AFB second address: 4920AFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920AFF second address: 4920B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920B0E second address: 4920B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920B12 second address: 4920B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920B16 second address: 4920B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920B1C second address: 4920B4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F708525531Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7085255327h 0x00000013 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920B4A second address: 4920BC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+14h] 0x0000000c pushad 0x0000000d mov si, EB33h 0x00000011 pushfd 0x00000012 jmp 00007F7084E7CE48h 0x00000017 and ah, 00000038h 0x0000001a jmp 00007F7084E7CE3Bh 0x0000001f popfd 0x00000020 popad 0x00000021 push dword ptr [ebp+10h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F7084E7CE3Bh 0x0000002d jmp 00007F7084E7CE43h 0x00000032 popfd 0x00000033 mov eax, 68E05B4Fh 0x00000038 popad 0x00000039 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920BC4 second address: 4920BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920C2F second address: 4920C46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7084E7CE43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4920C46 second address: 4920C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930DCB second address: 4930E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F7084E7CE48h 0x0000000b sbb ax, 74C8h 0x00000010 jmp 00007F7084E7CE3Bh 0x00000015 popfd 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F7084E7CE46h 0x0000001d push eax 0x0000001e jmp 00007F7084E7CE3Bh 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930E25 second address: 4930E40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7085255327h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4930E40 second address: 4930E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                              Tries to evade debugger and weak emulator (self modifying code)
                              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E7EAFF instructions caused by: Self-modifying code
                              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1051A9E instructions caused by: Self-modifying code
                              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1037450 instructions caused by: Self-modifying code
                              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10B7C1A instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 1FEAFF instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 3D1A9E instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 3B7450 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSpecial instruction interceptor: First address: 437C1A instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSpecial instruction interceptor: First address: FBDE39 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeSpecial instruction interceptor: First address: 104F426 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSpecial instruction interceptor: First address: BC7858 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSpecial instruction interceptor: First address: BC795D instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSpecial instruction interceptor: First address: D5ABEB instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSpecial instruction interceptor: First address: D64DB0 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeSpecial instruction interceptor: First address: DE1F4A instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSpecial instruction interceptor: First address: A1FDF5 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSpecial instruction interceptor: First address: BDDBE5 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSpecial instruction interceptor: First address: C52E50 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeSpecial instruction interceptor: First address: 9BDD2F instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeSpecial instruction interceptor: First address: 9BDC60 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeSpecial instruction interceptor: First address: B69739 instructions caused by: Self-modifying code
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeMemory allocated: E60000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeMemory allocated: 2830000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeMemory allocated: 4830000 memory reserve | memory write watch
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeMemory allocated: 18167770000 memory reserve | memory write watch
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeMemory allocated: 18169150000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeMemory allocated: 49A0000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeMemory allocated: 4B20000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeMemory allocated: 6B20000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: 13E0000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: 2D90000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: 4D90000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: 53F0000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: 63F0000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: 6520000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: 7520000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: B490000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: C490000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: C920000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: D920000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: F170000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: 10170000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory allocated: 11170000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeMemory allocated: 50A0000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeMemory allocated: 52C0000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeMemory allocated: 5110000 memory reserve | memory write watch
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049A0C4E rdtsc 0_2_049A0C4E
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeThread delayed: delay time: 922337203685477
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeThread delayed: delay time: 922337203685477
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1189Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1317Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeWindow / User API: threadDelayed 1313Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeWindow / User API: threadDelayed 3287
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeWindow / User API: threadDelayed 6512
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6497
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3192
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7599
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2103
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeWindow / User API: threadDelayed 725
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1240
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1163
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1144
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1183
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1201
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1203
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1138
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1148
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 999
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 444
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1137
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1159
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1134
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1121
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeWindow / User API: threadDelayed 1144
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[5].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1017987001\7bbff7a3a2.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1017985001\1e467b8b46.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[5].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1017989001\4c7aea0d0a.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1017988001\2dc416cfa5.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1017991001\617d9fb7ad.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1017983001\f71e300ff9.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1017992001\e7bd366d99.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1017999001\daaacc90a2.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[4].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[4].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[4].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1017986001\5dfec4fe99.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1017993001\718f24a5dc.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4124Thread sleep count: 56 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4124Thread sleep time: -112056s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4764Thread sleep count: 1189 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4764Thread sleep time: -2379189s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3868Thread sleep count: 262 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3868Thread sleep time: -7860000s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4828Thread sleep count: 1317 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4828Thread sleep time: -2635317s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5148Thread sleep count: 1313 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5148Thread sleep time: -2627313s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe TID: 1196Thread sleep time: -210000s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe TID: 2676Thread sleep time: -46023s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe TID: 5880Thread sleep time: -40020s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe TID: 6496Thread sleep time: -40020s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe TID: 4744Thread sleep time: -180000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe TID: 6556Thread sleep time: -40020s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe TID: 6596Thread sleep time: -30015s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -35048813740048126s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -100000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -99875s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -99766s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -99656s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -99547s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -99438s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -99328s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -99219s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -99094s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -98985s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -98860s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -98735s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -98619s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -98487s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -98203s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -98081s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -97953s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -97844s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -97734s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -97619s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -97500s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -97386s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -97266s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -97157s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -97032s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -96907s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -96782s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -96657s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -96547s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -96438s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -96313s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -96188s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -96063s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -95948s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -95828s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -95719s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -95605s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -95486s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -95366s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -95250s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -95137s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -95016s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -94891s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -94813s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -94688s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -94576s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -94454s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -94329s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe TID: 5008Thread sleep time: -94204s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6044Thread sleep time: -4611686018427385s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3504Thread sleep count: 7599 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3504Thread sleep count: 2103 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3500Thread sleep time: -4611686018427385s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 5864Thread sleep time: -60000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 5512Thread sleep time: -30000s >= -30000s
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe TID: 720Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe TID: 1580Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe TID: 4368Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 6056Thread sleep count: 1240 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 6056Thread sleep time: -2481240s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 1100Thread sleep count: 1163 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 1100Thread sleep time: -2327163s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 1628Thread sleep time: -40000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 2124Thread sleep count: 1144 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 2124Thread sleep time: -2289144s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 5648Thread sleep count: 1183 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 5648Thread sleep time: -2367183s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 3664Thread sleep count: 1201 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 3664Thread sleep time: -2403201s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 5896Thread sleep count: 1203 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 5896Thread sleep time: -2407203s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 3640Thread sleep time: -30000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 5424Thread sleep time: -30000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 6624Thread sleep count: 32 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 6624Thread sleep time: -64032s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 7060Thread sleep count: 38 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 7060Thread sleep time: -76038s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 1380Thread sleep count: 34 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 1380Thread sleep time: -68034s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 5568Thread sleep time: -32000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 5244Thread sleep time: -30000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 1844Thread sleep count: 45 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 1844Thread sleep time: -90045s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 2448Thread sleep time: -50025s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 5512Thread sleep count: 34 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 5512Thread sleep time: -68034s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 5840Thread sleep count: 36 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 5840Thread sleep time: -72036s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 2892Thread sleep time: -54027s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 7160Thread sleep time: -44000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 1996Thread sleep time: -56028s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 1656Thread sleep time: -46023s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 7660Thread sleep time: -30000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 6220Thread sleep count: 36 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe TID: 6220Thread sleep time: -72036s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe TID: 8772Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8580Thread sleep count: 1138 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8580Thread sleep time: -2277138s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8584Thread sleep count: 1148 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8584Thread sleep time: -2297148s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8588Thread sleep count: 999 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8588Thread sleep time: -1998999s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8360Thread sleep count: 444 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8360Thread sleep time: -2664000s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8596Thread sleep count: 1137 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8596Thread sleep time: -2275137s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8592Thread sleep count: 1159 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8592Thread sleep time: -2319159s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8572Thread sleep count: 1134 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8572Thread sleep time: -2269134s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8600Thread sleep count: 1121 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8600Thread sleep time: -2243121s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8576Thread sleep count: 1144 > 30
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe TID: 8576Thread sleep time: -2289144s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe TID: 7344Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe TID: 8012Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DC36A9 FindFirstFileExW,7_2_00DC36A9
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DC375A FindFirstFileExW,FindNextFileW,FindClose,FindClose,7_2_00DC375A
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread delayed: delay time: 30000Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 100000
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 99875
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 99766
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 99656
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 99547
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 99438
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 99328
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 99219
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 99094
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 98985
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 98860
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 98735
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 98619
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 98487
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 98203
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 98081
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 97953
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 97844
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 97734
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 97619
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 97500
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 97386
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 97266
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 97157
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 97032
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 96907
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 96782
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 96657
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 96547
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 96438
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 96313
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 96188
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 96063
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 95948
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 95828
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 95719
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 95605
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 95486
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 95366
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 95250
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 95137
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 95016
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 94891
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 94813
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 94688
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 94576
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 94454
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 94329
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeThread delayed: delay time: 94204
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeThread delayed: delay time: 922337203685477
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeThread delayed: delay time: 922337203685477
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeThread delayed: delay time: 922337203685477
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeThread delayed: delay time: 922337203685477
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                              Source: skotes.exe, skotes.exe, 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmp, e565baa4b6.exe, 0000000A.00000002.3290323952.0000000000F9F000.00000040.00000001.01000000.0000000A.sdmp, 128703c003.exe, 00000012.00000002.3013125466.0000000000D3C000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                              Source: 7ccdd68f3b.exe, 0000001B.00000002.3305532351.0000000001412000.00000004.00000020.00020000.00000000.sdmp, 7ccdd68f3b.exe, 0000001B.00000003.3290321113.00000000013E3000.00000004.00000020.00020000.00000000.sdmp, 7ccdd68f3b.exe, 0000001B.00000003.3299140187.0000000001411000.00000004.00000020.00020000.00000000.sdmp, 7ccdd68f3b.exe, 0000001B.00000003.3291479825.00000000013EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW.8=
                              Source: 8a13e339a3.exe, 00000015.00000003.3429758365.0000000001381000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW<
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                              Source: 128703c003.exe, 00000017.00000003.3219575719.0000000005E84000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                              Source: a2236cc5aa.exe, a2236cc5aa.exe, 00000009.00000003.3092499477.000000000122B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.000000000122B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029437490.000000000122B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3006552725.000000000122D000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3122658789.000000000122D000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029644708.000000000122D000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3134231707.000000000122E000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3133480042.00000000011FC000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000002.3285986121.0000000000815000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                              Source: 7ccdd68f3b.exe, 0000001B.00000003.3237546090.000000000141F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW"
                              Source: 3494904393.exe, 0000000B.00000002.3048855313.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3163410675.000001816AF72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                              Source: 3494904393.exe, 0000000B.00000002.3048855313.0000000000B07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                              Source: 128703c003.exe, 00000017.00000003.3219575719.0000000005E84000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                              Source: e565baa4b6.exe, 0000000A.00000002.3283325885.00000000007D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX,
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                              Source: file.exe, 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmp, e565baa4b6.exe, 0000000A.00000002.3290323952.0000000000F9F000.00000040.00000001.01000000.0000000A.sdmp, 128703c003.exe, 00000012.00000002.3013125466.0000000000D3C000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                              Source: 128703c003.exe, 00000017.00000003.3215322011.0000000005E0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeAPI call chain: ExitProcess graph end nodegraph_7-14635
                              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                              Anti Debugging

                              barindex
                              Hides threads from debuggers
                              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeThread information set: HideFromDebuggerJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeThread information set: HideFromDebugger
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeThread information set: HideFromDebugger
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeThread information set: HideFromDebugger
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeThread information set: HideFromDebugger
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeThread information set: HideFromDebugger
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeThread information set: HideFromDebugger
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeThread information set: HideFromDebugger
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeThread information set: HideFromDebugger
                              Tries to detect sandboxes and other dynamic analysis tools (window names)
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeOpen window title or class name: regmonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeOpen window title or class name: gbdyllo
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeOpen window title or class name: procmon_window_class
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeOpen window title or class name: ollydbg
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeOpen window title or class name: filemonclass
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeFile opened: NTICE
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeFile opened: SICE
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeFile opened: SIWVID
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeSystem information queried: KernelDebuggerInformation
                              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess queried: DebugPort
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess queried: DebugPort
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049A0C4E rdtsc 0_2_049A0C4E
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DB5020 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00DB5020
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4652B mov eax, dword ptr fs:[00000030h]0_2_00E4652B
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E4A302 mov eax, dword ptr fs:[00000030h]0_2_00E4A302
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_001CA302 mov eax, dword ptr fs:[00000030h]2_2_001CA302
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 2_2_001C652B mov eax, dword ptr fs:[00000030h]2_2_001C652B
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_001CA302 mov eax, dword ptr fs:[00000030h]3_2_001CA302
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 3_2_001C652B mov eax, dword ptr fs:[00000030h]3_2_001C652B
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DD519E mov edi, dword ptr fs:[00000030h]7_2_00DD519E
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DB1614 mov edi, dword ptr fs:[00000030h]7_2_00DB1614
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DBFE2C GetProcessHeap,7_2_00DBFE2C
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeProcess token adjusted: Debug
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DB5014 SetUnhandledExceptionFilter,7_2_00DB5014
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DB5020 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00DB5020
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DBB4B9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00DBB4B9
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DB4C64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00DB4C64
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeMemory allocated: page read and write | page guard

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Yara detected Powershell download and execute
                              Source: Yara matchFile source: Process Memory Space: 3494904393.exe PID: 6148, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 63506cf0a7384158900a9c4410789dbd.exe PID: 2616, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 8a13e339a3.exe PID: 3184, type: MEMORYSTR
                              Adds a directory exclusion to Windows Defender
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                              Contains functionality to inject code into remote processes
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: 7_2_00DD519E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,7_2_00DD519E
                              Injects a PE file into a foreign processes
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeMemory written: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe base: 400000 value starts with: 4D5AJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeMemory written: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe base: 400000 value starts with: 4D5A
                              LummaC encrypted strings found
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
                              Source: a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: pancakedipyps.click
                              Source: e565baa4b6.exe, 0000000A.00000003.2826158039.00000000048D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: treehoneyi.click
                              Source: 128703c003.exe, 00000012.00000003.2969053173.0000000004B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sweepyribs.lat
                              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe "C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe "C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe "C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe "C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe "C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe "C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe "C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe "C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe" Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeProcess created: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe "C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe"Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe "C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe"
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeProcess created: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe "C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe"
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeProcess created: unknown unknown
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeProcess created: unknown unknown
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
                              Source: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
                              Source: C:\Windows\System32\conhost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "c:\program files\mozilla firefox\firefox.exe" -contentproc --channel=2172 -parentbuildid 20230927232528 -prefshandle 2120 -prefmaphandle 2112 -prefslen 25308 -prefmapsize 237879 -win32klockeddown -appdir "c:\program files\mozilla firefox\browser" - {d3116d80-26e5-4678-b47c-6e372794e0eb} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 2800d16fd10 socket
                              Source: C:\Windows\System32\conhost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "c:\program files\mozilla firefox\firefox.exe" -contentproc --channel=2860 -parentbuildid 20230927232528 -prefshandle 4300 -prefmaphandle 4304 -prefslen 26395 -prefmapsize 237879 -appdir "c:\program files\mozilla firefox\browser" - {822619a6-5657-47d3-80bf-2521004ff1f0} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 28020772b10 rdd
                              Source: skotes.exe, skotes.exe, 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: =Program Manager
                              Source: 128703c003.exe, 00000012.00000002.3013125466.0000000000D3C000.00000040.00000001.01000000.0000000F.sdmpBinary or memory string: Program Manager
                              Source: e565baa4b6.exe, 0000000A.00000002.3290323952.0000000000F9F000.00000040.00000001.01000000.0000000A.sdmpBinary or memory string: jLProgram Manager
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: GetLocaleInfoW,7_2_00DC30D1
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: EnumSystemLocalesW,7_2_00DC3086
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_00DC3178
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: GetLocaleInfoW,7_2_00DC327E
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: GetLocaleInfoW,7_2_00DBF21C
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_00DC2A13
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_00DC2CFF
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: EnumSystemLocalesW,7_2_00DC2C64
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: GetLocaleInfoW,7_2_00DC2FB1
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: EnumSystemLocalesW,7_2_00DC2F52
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeCode function: EnumSystemLocalesW,7_2_00DBF717
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017983001\f71e300ff9.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017983001\f71e300ff9.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017985001\1e467b8b46.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017985001\1e467b8b46.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017986001\5dfec4fe99.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017986001\5dfec4fe99.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017987001\7bbff7a3a2.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017987001\7bbff7a3a2.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017988001\2dc416cfa5.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017988001\2dc416cfa5.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017989001\4c7aea0d0a.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017989001\4c7aea0d0a.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017991001\617d9fb7ad.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017991001\617d9fb7ad.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017992001\e7bd366d99.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017992001\e7bd366d99.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017993001\718f24a5dc.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017993001\718f24a5dc.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017994001\98679d2b4b.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017994001\98679d2b4b.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017995001\8d966c471d.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017995001\8d966c471d.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017996001\9c5dc2c478.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017996001\9c5dc2c478.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017997001\4e48e9ad99.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017997001\4e48e9ad99.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017998001\ab2f510d23.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017998001\ab2f510d23.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeQueries volume information: unknown VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Windows\System32\WinMetadata\Windows.Globalization.winmd VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Controls.Ribbon.dll VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.WindowsRuntime.dll VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Windows\System32\WinMetadata\Windows.Data.winmd VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                              Source: C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFED7C.tmp VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                              Source: C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,0_2_00E2CBEA
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Disable Windows Defender notifications (registry)
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
                              Disable Windows Defender real time protection (registry)
                              Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1
                              Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1
                              Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1
                              Disables Windows Defender Tamper protection
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeRegistry value created: TamperProtection 0
                              Modifies windows update settings
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
                              Source: C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
                              Overwrites Mozilla Firefox settings
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                              Source: a2236cc5aa.exe, a2236cc5aa.exe, 00000009.00000003.3029437490.000000000122B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029378664.000000000382F000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3048971355.000000000382F000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029644708.000000000122D000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3034696471.000000000382F000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3141123651.000000000382F000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3047195115.000000000382F000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3213908752.0000000000874000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000002.3288044439.000000000087B000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3190134926.000000000087B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected Amadeys stealer DLL
                              Source: Yara matchFile source: 3.2.skotes.exe.190000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.file.exe.e10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.skotes.exe.190000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000003.2200230498.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000006.00000003.2630147663.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000003.2202358687.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000003.2160698202.0000000004780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Yara detected Credential Flusher
                              Source: Yara matchFile source: Process Memory Space: 7ccdd68f3b.exe PID: 3848, type: MEMORYSTR
                              Yara detected LummaC Stealer
                              Source: Yara matchFile source: Process Memory Space: a2236cc5aa.exe PID: 5256, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: e565baa4b6.exe PID: 2608, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 128703c003.exe PID: 4088, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe, type: DROPPED
                              Yara detected Stealc
                              Source: Yara matchFile source: 00000030.00000003.3288737853.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000003.3086871686.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 8a13e339a3.exe PID: 3184, type: MEMORYSTR
                              Yara detected Vidar stealer
                              Source: Yara matchFile source: 19.0.63506cf0a7384158900a9c4410789dbd.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000000B.00000002.3062210997.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000B.00000002.3062210997.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 3494904393.exe PID: 6148, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 63506cf0a7384158900a9c4410789dbd.exe PID: 2616, type: MEMORYSTR
                              Source: Yara matchFile source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe, type: DROPPED
                              Found many strings related to Crypto-Wallets (likely being stolen)
                              Source: a2236cc5aa.exeString found in binary or memory: Wallets/Electrum-LTC
                              Source: a2236cc5aa.exeString found in binary or memory: Wallets/ElectronCash
                              Source: a2236cc5aa.exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                              Source: a2236cc5aa.exe, 00000009.00000003.3006552725.000000000122D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                              Source: a2236cc5aa.exe, 00000009.00000003.3006552725.0000000001283000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                              Source: a2236cc5aa.exe, 00000009.00000003.2973112098.00000000012AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                              Source: a2236cc5aa.exeString found in binary or memory: %appdata%\Ethereum
                              Source: a2236cc5aa.exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                              Source: a2236cc5aa.exe, 00000009.00000003.3006808233.000000000120A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                              Tries to harvest and steal Bitcoin Wallet information
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
                              Tries to harvest and steal browser information (history, passwords, etc)
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\key4.db
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\key4.db
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\key4.db
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\key4.db
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\key4.db
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\settings\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                              Tries to harvest and steal ftp login credentials
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                              Tries to steal Crypto Currency Wallets
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
                              Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWPJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKOJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRH
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRH
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWY
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWY
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRH
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRH
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIE
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIE
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYC
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYC
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYC
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYC
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYC
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYC
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRH
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRH
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRH
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRH
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\LTKMYBSEYZ
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYC
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYC
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZW
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWY
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWY
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AFWAAFRXKO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSB
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSO
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIE
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIE
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWY
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWY
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\TQDGENUHWP
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                              Source: C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exeDirectory queried: number of queries: 2002
                              Source: C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exeDirectory queried: number of queries: 1001
                              Source: C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exeDirectory queried: number of queries: 1001
                              Source: Yara matchFile source: 00000017.00000003.3258078775.000000000169B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000009.00000003.3006312115.0000000001288000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000003.3275631067.000000000169B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000003.3258078775.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001E.00000003.3500289993.0000000001354000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000003.3275631067.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000003.3335757490.000000000169B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001E.00000003.3503373239.0000000001355000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001E.00000003.3501962670.0000000001354000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000017.00000003.3334478529.000000000169B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: a2236cc5aa.exe PID: 5256, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: e565baa4b6.exe PID: 2608, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 63506cf0a7384158900a9c4410789dbd.exe PID: 2616, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 128703c003.exe PID: 4088, type: MEMORYSTR

                              Remote Access Functionality

                              barindex
                              Attempt to bypass Chrome Application-Bound Encryption
                              Source: C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                              Yara detected Credential Flusher
                              Source: Yara matchFile source: Process Memory Space: 7ccdd68f3b.exe PID: 3848, type: MEMORYSTR
                              Yara detected LummaC Stealer
                              Source: Yara matchFile source: Process Memory Space: a2236cc5aa.exe PID: 5256, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: e565baa4b6.exe PID: 2608, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 128703c003.exe PID: 4088, type: MEMORYSTR
                              Yara detected PureLog Stealer
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe, type: DROPPED
                              Yara detected Stealc
                              Source: Yara matchFile source: 00000030.00000003.3288737853.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000015.00000003.3086871686.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 8a13e339a3.exe PID: 3184, type: MEMORYSTR
                              Yara detected Vidar stealer
                              Source: Yara matchFile source: 19.0.63506cf0a7384158900a9c4410789dbd.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000000B.00000002.3062210997.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000B.00000002.3062210997.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 3494904393.exe PID: 6148, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 63506cf0a7384158900a9c4410789dbd.exe PID: 2616, type: MEMORYSTR
                              Source: Yara matchFile source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		511
                              Disable or Modify Tools                              		2
                              OS Credential Dumping                              		1
                              System Time Discovery                              		Remote Services1
                              Archive Collected Data                              		1
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Native API                              		1
                              Scheduled Task/Job                              		2
                              Bypass User Account Control                              		11
                              Deobfuscate/Decode Files or Information                              		1
                              Credentials in Registry                              		23
                              File and Directory Discovery                              		Remote Desktop Protocol1
                              Browser Session Hijacking                              		1
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts12
                              Command and Scripting Interpreter                              		111
                              Registry Run Keys / Startup Folder                              		1
                              Extra Window Memory Injection                              		4
                              Obfuscated Files or Information                              		Security Account Manager256
                              System Information Discovery                              		SMB/Windows Admin Shares41
                              Data from Local System                              		1
                              Remote Access Software                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal Accounts1
                              Scheduled Task/Job                              		Login Hook212
                              Process Injection                              		12
                              Software Packing                              		NTDS11
                              Query Registry                              		Distributed Component Object ModelInput Capture1
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud Accounts1
                              PowerShell                              		Network Logon Script1
                              Scheduled Task/Job                              		1
                              Timestomp                              		LSA Secrets9101
                              Security Software Discovery                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts111
                              Registry Run Keys / Startup Folder                              		1
                              DLL Side-Loading                              		Cached Domain Credentials2
                              Process Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                              Bypass User Account Control                              		DCSync381
                              Virtualization/Sandbox Evasion                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                              Extra Window Memory Injection                              		Proc Filesystem1
                              Application Window Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                              Masquerading                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron381
                              Virtualization/Sandbox Evasion                              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd212
                              Process Injection                              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1578628 Sample: file.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 163 Found malware configuration 2->163 165 Antivirus detection for dropped file 2->165 167 Antivirus / Scanner detection for submitted sample 2->167 169 18 other signatures 2->169 9 skotes.exe 8 95 2->9         started        14 file.exe 5 2->14         started        16 128703c003.exe 2->16         started        18 7 other processes 2->18 process3 dnsIp4 147 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 9->147 149 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 9->149 151 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 9->151 99 C:\Users\user\AppData\...\daaacc90a2.exe, PE32 9->99 dropped 101 C:\Users\user\AppData\...\ab2f510d23.exe, PE32 9->101 dropped 115 40 other malicious files 9->115 dropped 215 Creates multiple autostart registry keys 9->215 217 Hides threads from debuggers 9->217 219 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->219 20 8a13e339a3.exe 9->20         started        25 3494904393.exe 9->25         started        27 e565baa4b6.exe 9->27         started        35 5 other processes 9->35 103 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->103 dropped 105 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->105 dropped 221 Detected unpacking (changes PE section rights) 14->221 223 Tries to evade debugger and weak emulator (self modifying code) 14->223 225 Tries to detect virtualization through RDTSC time measurements 14->225 29 skotes.exe 14->29         started        107 C:\Users\user\...\WHQUF4KURLOTATA7WCHH.exe, PE32 16->107 dropped 109 C:\Users\user\...\RIZ8QT1S0BQ20WD7KBBS21.exe, PE32 16->109 dropped 227 Query firmware table information (likely to detect VMs) 16->227 229 Tries to harvest and steal browser information (history, passwords, etc) 16->229 231 Tries to steal Crypto Currency Wallets 16->231 153 23.218.208.109 AS6453US United States 18->153 155 127.0.0.1 unknown unknown 18->155 111 C:\...\TYUE4E8K2GIAZ6KSY1ZAXK0WL48NIVF.exe, PE32 18->111 dropped 113 C:\Users\user\...\DFAWHTB6ZKNPCDBIS7.exe, PE32 18->113 dropped 233 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->233 31 firefox.exe 18->31         started        33 taskkill.exe 18->33         started        file5 signatures6 process7 dnsIp8 123 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 20->123 83 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->83 dropped 85 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 20->85 dropped 87 C:\Users\user\AppData\...\mozglue[1].dll, PE32 20->87 dropped 97 10 other files (6 malicious) 20->97 dropped 171 Attempt to bypass Chrome Application-Bound Encryption 20->171 173 Overwrites Mozilla Firefox settings 20->173 189 5 other signatures 20->189 49 2 other processes 20->49 125 20.233.83.145 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->125 127 185.199.109.133 FASTLYUS Netherlands 25->127 89 C:\...\9c439e52050a49e0875bf199b254f370.exe, PE32 25->89 dropped 91 C:\...\63506cf0a7384158900a9c4410789dbd.exe, PE32 25->91 dropped 175 Multi AV Scanner detection for dropped file 25->175 177 Adds a directory exclusion to Windows Defender 25->177 37 63506cf0a7384158900a9c4410789dbd.exe 25->37         started        41 powershell.exe 25->41         started        43 powershell.exe 25->43         started        51 2 other processes 25->51 129 172.67.180.113 CLOUDFLARENETUS United States 27->129 179 Detected unpacking (changes PE section rights) 27->179 181 Query firmware table information (likely to detect VMs) 27->181 191 2 other signatures 27->191 183 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 29->183 193 2 other signatures 29->193 131 142.250.181.110 GOOGLEUS United States 31->131 135 6 other IPs or domains 31->135 93 C:\Users\user\AppData\...\places.sqlite-wal, SQLite 31->93 dropped 95 C:\Users\user\AppData\...\places.sqlite-shm, data 31->95 dropped 53 2 other processes 31->53 45 conhost.exe 33->45         started        133 104.21.64.80 CLOUDFLARENETUS United States 35->133 185 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->185 187 Contains functionality to inject code into remote processes 35->187 195 5 other signatures 35->195 47 a2236cc5aa.exe 35->47         started        55 7 other processes 35->55 file9 signatures10 process11 dnsIp12 137 149.154.167.99 TELEGRAMRU United Kingdom 37->137 139 116.203.12.114 HETZNER-ASDE Germany 37->139 197 Multi AV Scanner detection for dropped file 37->197 199 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->199 201 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->201 213 2 other signatures 37->213 57 chrome.exe 37->57         started        59 chrome.exe 37->59         started        61 chrome.exe 37->61         started        203 Loading BitLocker PowerShell Module 41->203 63 conhost.exe 41->63         started        65 conhost.exe 43->65         started        141 172.67.209.202 CLOUDFLARENETUS United States 47->141 205 Query firmware table information (likely to detect VMs) 47->205 207 Found many strings related to Crypto-Wallets (likely being stolen) 47->207 209 Tries to steal Crypto Currency Wallets 47->209 143 239.255.255.250 unknown Reserved 49->143 211 Monitors registry run keys for changes 49->211 67 chrome.exe 49->67         started        145 23.37.188.210 AKAMAI-ASUS United States 51->145 70 conhost.exe 55->70         started        72 conhost.exe 55->72         started        74 3 other processes 55->74 signatures13 process14 dnsIp15 76 chrome.exe 57->76         started        79 chrome.exe 59->79         started        81 chrome.exe 61->81         started        117 142.250.181.132 GOOGLEUS United States 67->117 119 142.250.181.99 GOOGLEUS United States 67->119 121 3 other IPs or domains 67->121 process16 dnsIp17 157 142.250.181.3 GOOGLEUS United States 76->157 159 172.217.19.228 GOOGLEUS United States 76->159 161 2 other IPs or domains 76->161

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              file.exe50%ReversingLabsWin32.Infostealer.Tinba
                              file.exe100%AviraTR/Crypt.TPM.Gen
                              file.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exe100%AviraTR/Crypt.TPM.Gen
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe100%AviraTR/ATRAPS.Gen
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe100%AviraTR/Crypt.XPACK.Gen
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe100%AviraHEUR/AGEN.1320706
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe100%AviraTR/Crypt.XPACK.Gen
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe100%Joe Sandbox ML
                              C:\ProgramData\freebl3.dll0%ReversingLabs
                              C:\ProgramData\mozglue.dll0%ReversingLabs
                              C:\ProgramData\msvcp140.dll0%ReversingLabs
                              C:\ProgramData\nss3.dll0%ReversingLabs
                              C:\ProgramData\softokn3.dll0%ReversingLabs
                              C:\ProgramData\vcruntime140.dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe18%ReversingLabsWin32.Dropper.Generic
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe54%ReversingLabsWin32.Trojan.Amadey
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exe67%ReversingLabsWin32.Trojan.LummaStealer
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe75%ReversingLabsWin32.Trojan.Generic
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exe54%ReversingLabsWin32.Spyware.Lummastealer
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe81%ReversingLabsWin32.Trojan.Generic
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[4].exe88%ReversingLabsWin32.Trojan.Amadey
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[5].exe28%ReversingLabs
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll0%ReversingLabs
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe68%ReversingLabsWin32.Trojan.LummaStealer
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[3].exe67%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                              C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe68%ReversingLabsWin32.Trojan.LummaStealer
                              C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe75%ReversingLabsWin32.Trojan.Generic
                              C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe18%ReversingLabsWin32.Dropper.Generic
                              C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe67%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                              C:\Users\user\AppData\Local\Temp\1017985001\1e467b8b46.exe81%ReversingLabsWin32.Trojan.Generic
                              C:\Users\user\AppData\Local\Temp\1017987001\7bbff7a3a2.exe54%ReversingLabsWin32.Spyware.Lummastealer
                              C:\Users\user\AppData\Local\Temp\1017988001\2dc416cfa5.exe88%ReversingLabsWin32.Trojan.Amadey
                              C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exe54%ReversingLabsWin32.Trojan.Amadey
                              C:\Users\user\AppData\Local\Temp\1017992001\e7bd366d99.exe67%ReversingLabsWin32.Trojan.LummaStealer
                              C:\Users\user\AppData\Local\Temp\1017993001\718f24a5dc.exe28%ReversingLabs
                              C:\Users\user\AppData\Local\Temp\1017994001\98679d2b4b.exe18%ReversingLabsWin32.Dropper.Generic
                              C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe50%ReversingLabsWin32.Infostealer.Tinba
                              C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe47%ReversingLabsWin32.Infostealer.Generic
                              C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe0%ReversingLabs

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              No Antivirus matches

                              Domains and IPs

                              Contacted Domains

                              No contacted domains info

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://steamcommunity.com/profiles/76561199809363512false
                                		high
                                aspecteirs.latfalse
                                  		high
                                  sustainskelet.latfalse
                                    		high
                                    rapeflowwj.latfalse
                                      		high
                                      energyaffai.latfalse
                                        		high
                                        grannyejh.latfalse
                                          		high
                                          pancakedipyps.clickfalse
                                            		high
                                            necklacebudi.latfalse
                                              		high

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://treehoneyi.click/eml7=e565baa4b6.exe, 0000000A.00000003.3190256210.0000000000865000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://duckduckgo.com/chrome_newtaba2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/ac/?q=a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.datacontract.org9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810059E000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810026F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://treehoneyi.click/use565baa4b6.exe, 0000000A.00000002.3287096139.0000000000863000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3253053792.0000000000863000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://frostman.shop/hA63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135615248.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135498444.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3186628408.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3111755973.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.a2236cc5aa.exe, 00000009.00000003.2976264747.0000000003848000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3139904879.0000000005402000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3287089252.0000000005EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.datacontract.org/2004/07/StoreInstaller.Models9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810026F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000016.00000003.3061403026.0000019246380000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://t.me/k04ael3494904393.exe, 0000000B.00000002.3054106984.000000000296B000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3062210997.0000000003890000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000002.3062210997.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3078242620.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3078242620.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000000.3043796968.0000000000423000.00000008.00000001.01000000.00000010.sdmpfalse
                                                                      		high
                                                                      http://185.215.113.16/off/def.exevh128703c003.exe, 00000017.00000003.3659903833.00000000016F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://pancakedipyps.click/a2236cc5aa.exe, a2236cc5aa.exe, 00000009.00000002.3133800466.0000000001212000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2972854469.0000000003834000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3092499477.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.0000000001212000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3094940649.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3034726949.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029644708.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3122847906.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3135914108.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029780575.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3137538281.00000000012A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://frostman.shop/yB63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3651769649.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135615248.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135498444.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3186628408.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3111755973.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://pancakedipyps.click/#a2236cc5aa.exe, 00000009.00000003.3119803218.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3135914108.000000000128B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://defaultcontainer/StoreInstaller;component/Resources/Theme/Light.xaml9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181004BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://grannyejh.lat:443/api128703c003.exe, 00000012.00000003.3011066639.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000012.00000002.3012509947.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3168584611.0000000001679000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3411535571.0000000001679000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3368738714.0000000001679000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3334478529.0000000001679000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://aka.ms/pscore6lBpowershell.exe, 0000000D.00000002.2914223441.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2944804994.0000000004541000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://grannyejh.lat/apiup128703c003.exe, 00000017.00000003.3168584611.000000000169B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://nuget.org/nuget.exepowershell.exe, 0000000D.00000002.2917207950.0000000005A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2955040856.00000000055A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://defaultcontainer/StoreInstaller;component/Resources/StoreAppList.Light.png9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181002F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.microsoft.c63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135615248.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135498444.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3081412103.00000000007EB000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3078242620.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3186628408.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3111755973.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3068983043.00000000007B6000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://github.com/Urijas/moperats/raw/refs/heads/main/ktyihkdfesf.exe3494904393.exe, 0000000B.00000002.3054106984.0000000002859000.00000004.00000800.00020000.00000000.sdmp, 3494904393.exe, 0000000B.00000000.2867570973.0000000000532000.00000002.00000001.01000000.0000000B.sdmp, 3494904393.exe, 0000000B.00000002.3054106984.0000000002842000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name3494904393.exe, 0000000B.00000002.3054106984.0000000002831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2914223441.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2944804994.0000000004541000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181003C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://pancakedipyps.click/apia2236cc5aa.exe, a2236cc5aa.exe, 00000009.00000003.3119803218.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3094940649.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3092499477.0000000001284000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.000000000122B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029437490.0000000001283000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3122847906.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.0000000001284000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3122658789.000000000122D000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3087755714.000000000383D000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3137538281.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3135914108.0000000001284000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3134231707.000000000122E000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3006552725.0000000001283000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3116794521.000000000383D000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3047195115.000000000382F000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3047775117.0000000003832000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://raw.githubusercontent.comD3494904393.exe, 0000000B.00000002.3054106984.000000000296F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://treehoneyi.click/=lg7e565baa4b6.exe, 0000000A.00000002.3287096139.0000000000863000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3253053792.0000000000863000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://grannyejh.lat:443/apical128703c003.exe, 00000017.00000003.3368738714.0000000001679000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3334478529.0000000001679000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://pancakedipyps.click/apiTa2236cc5aa.exe, 00000009.00000003.3119803218.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3094940649.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3122847906.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3137538281.00000000012A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://schemas.datacontract.org/9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810059E000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810026F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.2944804994.0000000004696000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000D.00000002.2914223441.0000000004B75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2944804994.0000000004696000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.datacontract.org/2004/07/9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810059E000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810026F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.2944804994.0000000004696000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://treehoneyi.click/api&e565baa4b6.exe, 0000000A.00000002.3285986121.0000000000815000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3254207262.0000000000815000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://contoso.com/Iconpowershell.exe, 00000010.00000002.2955040856.00000000055A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://treehoneyi.click/ue565baa4b6.exe, 0000000A.00000003.3162109459.0000000005402000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://185.215.113.206/c4becf79229cb002.php)8a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://crl.rootca1.amazontrust.com/rootca1.crl0a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://t.me/k04aelm0nk3Mozilla/5.063506cf0a7384158900a9c4410789dbd.exe, 00000013.00000000.3043796968.0000000000423000.00000008.00000001.01000000.00000010.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://raw.githubusercontent.com/Urijas/moperats/refs/heads/main/biyjdfjadaw.exe3494904393.exe, 0000000B.00000002.3054106984.000000000296F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://treehoneyi.click/re565baa4b6.exe, 0000000A.00000003.3255326461.0000000005406000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://ocsp.rootca1.amazontrust.com0:a2236cc5aa.exe, 00000009.00000003.2973397042.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133975514.0000000005429000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3272707653.0000000005E96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://pancakedipyps.click/apiHa2236cc5aa.exe, 00000009.00000003.3119803218.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000002.3135914108.000000000128B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://pancakedipyps.click:443/apiefault-release/key4.dbPKa2236cc5aa.exe, 00000009.00000002.3133800466.0000000001212000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.0000000001212000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3092499477.0000000001212000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3029437490.0000000001212000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://www.ecosia.org/newtab/a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br128703c003.exe, 00000017.00000003.3281980626.0000000006109000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.2944804994.0000000004696000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://treehoneyi.click/;.e565baa4b6.exe, 0000000A.00000002.3287096139.0000000000863000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3253053792.0000000000863000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://treehoneyi.click/e565baa4b6.exe, 0000000A.00000003.3132201109.00000000053FC000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133060846.0000000005405000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3137766063.0000000005406000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000002.3316209595.0000000005407000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3106309298.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3103245205.00000000053E8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000002.3316055734.0000000005401000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3133607214.0000000005406000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3108132250.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3132201109.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3132555502.0000000005402000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3106075883.00000000053E8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3255326461.0000000005406000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3132410630.00000000053FC000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3190290068.0000000005405000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3162109459.0000000005402000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3139904879.0000000005406000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.w3.oh9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810059E000.00000004.00000800.00020000.00000000.sdmp, 9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.000001810026F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://defaultcontainer/StoreInstaller;component/Resources/app.Light.ico9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181004BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://treehoneyi.click/apie565baa4b6.exe, 0000000A.00000003.3254207262.0000000000815000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3190222323.0000000000872000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000002.3288044439.000000000087B000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3253053792.0000000000863000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://crl.microe565baa4b6.exe, 0000000A.00000003.3253053792.000000000085F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2913135607.0000000002D49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2972792900.0000000007FD2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://raw.githubusercontent.com3494904393.exe, 0000000B.00000002.3054106984.000000000296F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://foo/Resources/StoreLogo.Light.png9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181002F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0za2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://treehoneyi.click/apiAe565baa4b6.exe, 0000000A.00000002.3287096139.0000000000863000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000D.00000002.2914223441.0000000004B75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2944804994.0000000004696000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://steamcommunity.com/profiles/76561199809363512m0nk3Mozilla/5.063506cf0a7384158900a9c4410789dbd.exe, 00000013.00000000.3043796968.0000000000423000.00000008.00000001.01000000.00000010.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://raw.githubusercontent.com3494904393.exe, 0000000B.00000002.3054106984.000000000296F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refa2236cc5aa.exe, 00000009.00000003.2976264747.0000000003848000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3139904879.0000000005402000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3287089252.0000000005EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://frostman.shop/63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477e565baa4b6.exe, 0000000A.00000003.3139904879.0000000005402000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3287089252.0000000005EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://185.215.113.16/off/def.exe128703c003.exe, 00000017.00000003.3659903833.0000000001711000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3659903833.00000000016F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://185.215.113.206/c4becf79229cb002.phpM8a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://treehoneyi.click/apiZze565baa4b6.exe, 0000000A.00000003.3167500325.0000000000879000.00000004.00000020.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3166630569.0000000000874000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://pancakedipyps.click/pia2236cc5aa.exe, 00000009.00000003.3092499477.000000000128B000.00000004.00000020.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.3119803218.000000000128B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://grannyejh.lat/u128703c003.exe, 00000012.00000003.3011604086.00000000009E4000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000012.00000002.3012509947.00000000009E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://ocsp.sectigo.com0a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://grannyejh.lat/apiM128703c003.exe, 00000017.00000003.3409861563.0000000005E73000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  https://web.telegram.org63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3068983043.00000000007B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://185.215.113.206/c4becf79229cb002.phpa8a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://frostman.shop/CA63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135615248.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3135498444.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3186628408.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3217460392.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3111755973.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3159345987.00000000007AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://github.com3494904393.exe, 0000000B.00000002.3054106984.00000000028CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://185.215.113.206/78a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://grannyejh.lat/p128703c003.exe, 00000017.00000003.3168584611.0000000001682000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3212635855.0000000005E58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi128703c003.exe, 00000017.00000003.3287089252.0000000005EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://contoso.com/Licensepowershell.exe, 00000010.00000002.2955040856.00000000055A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://frostman.shop/w63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3651769649.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3257497509.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3391279863.00000000007B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=a2236cc5aa.exe, 00000009.00000003.2810920560.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2810998044.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, a2236cc5aa.exe, 00000009.00000003.2811106417.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007424069.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007803937.00000000053A8000.00000004.00000800.00020000.00000000.sdmp, e565baa4b6.exe, 0000000A.00000003.3007230259.00000000053AB000.00000004.00000800.00020000.00000000.sdmp, 63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3645264390.000000000374C000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3427026577.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3171774719.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172070009.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3172606078.0000000005E18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://foo/bar/resources/storelogo.light.png9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181002F5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#a2236cc5aa.exe, 00000007.00000002.2763394812.000000000099F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://185.215.113.206/68b591d6548ec281/sqlite3.dll8a13e339a3.exe, 00000015.00000003.3429758365.0000000001381000.00000004.00000020.00020000.00000000.sdmp, 8a13e339a3.exe, 00000015.00000003.3429758365.0000000001367000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            http://185.215.113.206/c4becf79229cb002.phps8a13e339a3.exe, 00000015.00000003.3429013238.0000000001394000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              http://185.215.113.16/H128703c003.exe, 00000017.00000003.3659903833.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3666383879.0000000001702000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                                https://frostman.shop/z63506cf0a7384158900a9c4410789dbd.exe, 00000013.00000003.3651769649.00000000007AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                                  http://foo/bar/resources/app.light.ico9c439e52050a49e0875bf199b254f370.exe, 00000014.00000002.3127340552.00000181004BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                                    https://grannyejh.lat/apit128703c003.exe, 00000012.00000002.3012272539.000000000099E000.00000004.00000020.00020000.00000000.sdmp, 128703c003.exe, 00000017.00000003.3168584611.0000000001682000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high

                                                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                      185.215.113.43
                                                                                                                                                                                                                                      		unknownPortugal
                                                                                                                                                                                                                                      		206894WHOLESALECONNECTIONSNLtrue
                                                                                                                                                                                                                                      172.217.19.228
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      216.58.208.227
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      116.203.12.114
                                                                                                                                                                                                                                      		unknownGermany
                                                                                                                                                                                                                                      		24940HETZNER-ASDEfalse
                                                                                                                                                                                                                                      149.154.167.99
                                                                                                                                                                                                                                      		unknownUnited Kingdom
                                                                                                                                                                                                                                      		62041TELEGRAMRUfalse
                                                                                                                                                                                                                                      23.218.208.109
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		6453AS6453USfalse
                                                                                                                                                                                                                                      142.250.181.132
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      142.250.181.110
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      52.40.120.141
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		16509AMAZON-02USfalse
                                                                                                                                                                                                                                      34.117.188.166
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                                                                                                                      172.67.209.202
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                      64.233.164.84
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      185.199.109.133
                                                                                                                                                                                                                                      		unknownNetherlands
                                                                                                                                                                                                                                      		54113FASTLYUSfalse
                                                                                                                                                                                                                                      64.233.162.84
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      31.41.244.11
                                                                                                                                                                                                                                      		unknownRussian Federation
                                                                                                                                                                                                                                      		61974AEROEXPRESS-ASRUfalse
                                                                                                                                                                                                                                      1.1.1.1
                                                                                                                                                                                                                                      		unknownAustralia
                                                                                                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                      172.217.17.78
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      172.67.180.113
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                      104.21.64.80
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                      185.215.113.16
                                                                                                                                                                                                                                      		unknownPortugal
                                                                                                                                                                                                                                      		206894WHOLESALECONNECTIONSNLfalse
                                                                                                                                                                                                                                      20.233.83.145
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                      34.107.221.82
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      35.244.181.201
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      239.255.255.250
                                                                                                                                                                                                                                      		unknownReserved
                                                                                                                                                                                                                                      		unknownunknownfalse
                                                                                                                                                                                                                                      142.250.181.3
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      185.215.113.206
                                                                                                                                                                                                                                      		unknownPortugal
                                                                                                                                                                                                                                      		206894WHOLESALECONNECTIONSNLfalse
                                                                                                                                                                                                                                      35.190.72.216
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      34.160.144.191
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		2686ATGS-MMD-ASUSfalse
                                                                                                                                                                                                                                      142.250.181.99
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                                                                                      23.37.188.210
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		16625AKAMAI-ASUSfalse

                                                                                                                                                                                                                                      Private

                                                                                                                                                                                                                                      IP
                                                                                                                                                                                                                                      127.0.0.1

                                                                                                                                                                                                                                      General Information

                                                                                                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                      Analysis ID:1578628
                                                                                                                                                                                                                                      Start date and time:2024-12-20 00:09:09 +01:00
                                                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                      Overall analysis duration:0h 20m 35s
                                                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                      Number of analysed new started processes analysed:61
                                                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                                                      Sample name:file.exe
                                                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@149/127@0/31
                                                                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                                                                      • Successful, ratio: 80%
                                                                                                                                                                                                                                      HCA Information:Failed
                                                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                                                      • Max analysis timeout: 600s exceeded, the analysis took too long
                                                                                                                                                                                                                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                                                                                                                      • Execution Graph export aborted for target a2236cc5aa.exe, PID 5256 because there are no executed function
                                                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                      • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                                      • VT rate limit hit for: file.exe

                                                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                                                      00:10:16Task SchedulerRun new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                      00:11:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 128703c003.exe C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe
                                                                                                                                                                                                                                      00:11:47AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 128703c003.exe C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe
                                                                                                                                                                                                                                      00:11:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 8a13e339a3.exe C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                      00:12:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 7ccdd68f3b.exe C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe
                                                                                                                                                                                                                                      00:12:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 2fc1eb1411.exe C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe
                                                                                                                                                                                                                                      00:12:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 8a13e339a3.exe C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                      00:12:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 7ccdd68f3b.exe C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe
                                                                                                                                                                                                                                      00:12:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2fc1eb1411.exe C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe
                                                                                                                                                                                                                                      00:13:00Task SchedulerRun new task: Intel_PTT_EK_Recertification path: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                                                                                                                                                                                      00:14:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 8d966c471d.exe C:\Users\user\AppData\Local\Temp\1017995001\8d966c471d.exe
                                                                                                                                                                                                                                      00:14:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 9c5dc2c478.exe C:\Users\user\AppData\Local\Temp\1017996001\9c5dc2c478.exe
                                                                                                                                                                                                                                      00:14:22Task SchedulerRun new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe
                                                                                                                                                                                                                                      00:14:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4e48e9ad99.exe C:\Users\user\AppData\Local\Temp\1017997001\4e48e9ad99.exe
                                                                                                                                                                                                                                      00:14:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ab2f510d23.exe C:\Users\user\AppData\Local\Temp\1017998001\ab2f510d23.exe
                                                                                                                                                                                                                                      00:14:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 8d966c471d.exe C:\Users\user\AppData\Local\Temp\1017995001\8d966c471d.exe
                                                                                                                                                                                                                                      00:14:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 9c5dc2c478.exe C:\Users\user\AppData\Local\Temp\1017996001\9c5dc2c478.exe
                                                                                                                                                                                                                                      00:15:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4e48e9ad99.exe C:\Users\user\AppData\Local\Temp\1017997001\4e48e9ad99.exe
                                                                                                                                                                                                                                      00:15:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ab2f510d23.exe C:\Users\user\AppData\Local\Temp\1017998001\ab2f510d23.exe
                                                                                                                                                                                                                                      18:11:02API Interceptor15066916x Sleep call for process: skotes.exe modified
                                                                                                                                                                                                                                      18:11:17API Interceptor8x Sleep call for process: a2236cc5aa.exe modified
                                                                                                                                                                                                                                      18:11:24API Interceptor67x Sleep call for process: e565baa4b6.exe modified
                                                                                                                                                                                                                                      18:11:29API Interceptor20x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                                      18:11:36API Interceptor527x Sleep call for process: 128703c003.exe modified
                                                                                                                                                                                                                                      18:11:36API Interceptor60x Sleep call for process: 3494904393.exe modified
                                                                                                                                                                                                                                      18:11:45API Interceptor3x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                                      18:12:08API Interceptor91698x Sleep call for process: 8a13e339a3.exe modified
                                                                                                                                                                                                                                      18:12:19API Interceptor1x Sleep call for process: ebfedd813b.exe modified

                                                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                                                      IPs

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      185.215.113.43file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                                                      • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                                                      file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                                                                                                                                                                      • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                                                      Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                                                                                                                                                                                                      • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                                                                                      • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                      • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                      • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                                                      • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                                                      AWrVzd6XpC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                      • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                                                                                      • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                                                                                                      • 185.215.113.43/Zu7JuNko/index.php
                                                                                                                                                                                                                                      116.203.12.114Setup.msiGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                        69633f.msiGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                          dZKPE9gotO.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                            nB52P46OJD.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                T0x859fNfn.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                  149.154.167.99http://xn--r1a.website/s/ogorodruGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • telegram.org/img/favicon.ico
                                                                                                                                                                                                                                                  http://cryptorabotakzz.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • telegram.org/
                                                                                                                                                                                                                                                  http://cache.netflix.com.id1.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
                                                                                                                                                                                                                                                  http://investors.spotify.com.sg2.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • telegram.org/
                                                                                                                                                                                                                                                  http://bekaaviator.kz/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • telegram.org/
                                                                                                                                                                                                                                                  http://telegramtw1.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • telegram.org/?setln=pl
                                                                                                                                                                                                                                                  http://makkko.kz/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • telegram.org/
                                                                                                                                                                                                                                                  http://telegram.dogGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • telegram.dog/
                                                                                                                                                                                                                                                  LnSNtO8JIa.exeGet hashmaliciousCinoshi StealerBrowse
                                                                                                                                                                                                                                                  • t.me/cinoshibot
                                                                                                                                                                                                                                                  jtfCFDmLdX.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
                                                                                                                                                                                                                                                  • t.me/cinoshibot

                                                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  TELEGRAMRU9KEZfGRjyK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                                                                                  9KEZfGRjyK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                                                                                                                                                                                  • 149.154.167.99
                                                                                                                                                                                                                                                  PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                                                                                  PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                                                                                  66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                                                                                  pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                  • 149.154.167.99
                                                                                                                                                                                                                                                  QIo3SytSZA.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                  • 149.154.167.99
                                                                                                                                                                                                                                                  _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                  • 149.154.167.220
                                                                                                                                                                                                                                                  HETZNER-ASDEarm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                                                  • 167.233.43.233
                                                                                                                                                                                                                                                  x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                                                  • 5.9.64.77
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                                                                                                                                                                                  • 94.130.191.168
                                                                                                                                                                                                                                                  t5lpvahkgypd7wy.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                                                                                                                  • 213.239.239.164
                                                                                                                                                                                                                                                  2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  • 168.119.31.126
                                                                                                                                                                                                                                                  x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 136.243.197.146
                                                                                                                                                                                                                                                  sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                  • 5.9.225.47
                                                                                                                                                                                                                                                  pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                  • 94.130.191.168
                                                                                                                                                                                                                                                  QIo3SytSZA.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                  • 94.130.191.168
                                                                                                                                                                                                                                                  https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpegGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                  • 195.201.152.110
                                                                                                                                                                                                                                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                                  • 185.215.113.16
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                                                                  • 185.215.113.64
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                  • 185.215.113.206
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                                                                                                                                                                                  • 185.215.113.43
                                                                                                                                                                                                                                                  Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                                                                                                                                                                                                                  • 185.215.113.206
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                                                                                                  • 185.215.113.43
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                                  • 185.215.113.206
                                                                                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                  • 185.215.113.206
                                                                                                                                                                                                                                                  MFQbv2Yuzv.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                                  • 185.215.113.16
                                                                                                                                                                                                                                                  Y41xQGmT37.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                                                                                                                                  • 185.215.113.16

                                                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                  C:\ProgramData\freebl3.dll1So9BcQi1J.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                                    Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                                                                                                                                                                                                                      AWrVzd6XpC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                        ZXVcgrmGRM.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                                          D2Cw8gWOXj.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                            random.exe.7.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                                                                                                                                                                                                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                stealc_default2.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                                                  V65xPrgEHH.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse

                                                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                                                      C:\ProgramData\BKFIJJEG

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):106496
                                                                                                                                                                                                                                                                      Entropy (8bit):1.136413900497188
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                                                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                                                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                                                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                                                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\E3E3OPZUA1N7\26XT0Z

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (1743), with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):12666
                                                                                                                                                                                                                                                                      Entropy (8bit):5.47449330293569
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:192:mETv4bvarnPOeRnLYbBp6EkJ0aX+16SEXKvNVa5RHWNBw8dLSl:ZDeaJUsgcHEw00
                                                                                                                                                                                                                                                                      MD5:8598305FFEBC723063E9E66223CC8EF7
                                                                                                                                                                                                                                                                      SHA1:D8453CCF4A6732BEB735E7440F5E5A1D3250037A
                                                                                                                                                                                                                                                                      SHA-256:0565A1E58F9ABE06EADCC15730A5B31308097B2B639609DC60CF92B6173F9F83
                                                                                                                                                                                                                                                                      SHA-512:27356821DC9BC3C4FD1C4DC155CDF3FFD311105C785BE56C8B5F808073AD8033285942C679C76B3917B3ACBE001DF904EB78E52FC8EC3FC34801F48D47883792
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 4);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734650012);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734650012);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734650012);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173465

                                                                                                                                                                                                                                                                      C:\ProgramData\E3E3OPZUA1N7\58GD2V

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):106496
                                                                                                                                                                                                                                                                      Entropy (8bit):1.136413900497188
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                                                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                                                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                                                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                                                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\E3E3OPZUA1N7\9Z5X4W47G

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):51200
                                                                                                                                                                                                                                                                      Entropy (8bit):0.8746135976761988
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                                                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                                                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                                                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                                                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\E3E3OPZUA1N7\AIMOHV

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):155648
                                                                                                                                                                                                                                                                      Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                                                      MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                                                      SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                                                      SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                                                      SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\E3E3OPZUA1N7\F3OHLN

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):98304
                                                                                                                                                                                                                                                                      Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\E3E3OPZUA1N7\OHL68YCT0

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):40960
                                                                                                                                                                                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\E3E3OPZUA1N7\SJECBA

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):294912
                                                                                                                                                                                                                                                                      Entropy (8bit):0.08438200565341271
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v4U:51zkVmvQhyn+Zoz67NU
                                                                                                                                                                                                                                                                      MD5:F7EEE7B0D281E250D1D8E36486F5A2C3
                                                                                                                                                                                                                                                                      SHA1:309736A27E794672BD1BDFBAC69B2C6734FC25CE
                                                                                                                                                                                                                                                                      SHA-256:378DD46FE8A8AAC2C430AE8A7C5C1DC3C2A343534A64A263EC9A4F1CE801985E
                                                                                                                                                                                                                                                                      SHA-512:CE102A41CA4E2A27CCB27F415D2D69A75A0058BA0F600C23F63B89F30FFC982BA48336140714C522B46CC6D13EDACCE3DF0D6685D02844B8DB0AD3378DB9CABB
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\E3E3OPZUA1N7\SRQ9HL

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):159744
                                                                                                                                                                                                                                                                      Entropy (8bit):0.5394293526345721
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                                                                                                                      MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                                                                                                                      SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                                                                                                                      SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                                                                                                                      SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\E3E3OPZUA1N7\VAIM7G

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 11, database pages 91, cookie 0x36, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):196608
                                                                                                                                                                                                                                                                      Entropy (8bit):1.2651531897062716
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:TY2qOB1nxCkMPSAELyKOMq+8yC8F/YfU5m+OlTLVumF:5q+n0JP9ELyKOMq+8y9/OwO
                                                                                                                                                                                                                                                                      MD5:C0DF2B635D24E4DEF5DE91983BA8E0DD
                                                                                                                                                                                                                                                                      SHA1:3F4C5852141857BEAA3E85450185A892D121CF24
                                                                                                                                                                                                                                                                      SHA-256:24FC73E4209742037A1CE3EE1D21EEED994A09EE40ED091F3252769187668F79
                                                                                                                                                                                                                                                                      SHA-512:E1B822320C58768671A1EFEAA6664D62242E74D522EB09F370686BC30D22ECBAC9F629330046616AD5277CE892BB00CE2111B70BA6692CB114270FBA20B185F7
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ .......[...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\HDAFHIDGIJKJKECBGDBGHDBKFH

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):98304
                                                                                                                                                                                                                                                                      Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\IECFIEGDBKJKFIDHIECG

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):51200
                                                                                                                                                                                                                                                                      Entropy (8bit):0.8746135976761988
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                                                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                                                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                                                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                                                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\JJDBGDHIIDAEBFHJJDBFIDGIJE

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):5242880
                                                                                                                                                                                                                                                                      Entropy (8bit):0.03859996294213402
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                                                                                                                      MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                                                                                                                      SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                                                                                                                      SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                                                                                                                      SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\JJJJKEHCAKFBFHJKEHCF

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (1743), with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                                      Size (bytes):11830
                                                                                                                                                                                                                                                                      Entropy (8bit):5.462869230447137
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:192:YnPOeRnLYbBp63kJ0aX+H6SEXK5NVa5RHWNBw8d2Sl:CDeFJUascHEwD0
                                                                                                                                                                                                                                                                      MD5:A1A8FAC0125C7EE95206B26E8769E75D
                                                                                                                                                                                                                                                                      SHA1:0439342306BA7FB5A7465231FA6E40A5A3967854
                                                                                                                                                                                                                                                                      SHA-256:783A948152D9406B7E273D27BD5A7C1A382CD6E5E6661B403E7F5D72EE6923E6
                                                                                                                                                                                                                                                                      SHA-512:D6B3D84E0ABC4E05775CE9A76DBC1A0646BA02E245C0E7C3BD499BAD015B80BF639B5251684AB9335351B60E4F5C7AEF54FBED09FC295DE905E572A96E39E9A2
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1734649954);..user_pref("app.up

                                                                                                                                                                                                                                                                      C:\ProgramData\JKJDHDBKEBGHJJJJKEHD

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):40960
                                                                                                                                                                                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\KFCFIEHC

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):196608
                                                                                                                                                                                                                                                                      Entropy (8bit):1.121297215059106
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                                                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                                                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                                                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                                                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):8192
                                                                                                                                                                                                                                                                      Entropy (8bit):0.3588072191296206
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:6xkoaaD0JOCEfMuaaD0JOCEfMKQmDhxkoaaD0JOCEfMuaaD0JOCEfMKQmD:maaD0JcaaD0JwQQ3aaD0JcaaD0JwQQ
                                                                                                                                                                                                                                                                      MD5:663C5D6018506231E334FB3EA962ED1C
                                                                                                                                                                                                                                                                      SHA1:539A4641CE92E57E4ADEE32750A817326E596D4C
                                                                                                                                                                                                                                                                      SHA-256:066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
                                                                                                                                                                                                                                                                      SHA-512:5F910653FD1B12B94D314EDEDF6EB2BEC70D369D921EB5B7CF4D199B0374D6C798336E39DBF2781F3B0457280E0DDA63BDF4861DF31C08152544B0F1039D5FCD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x95f5fb18, page size 16384, Windows version 10.0
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1310720
                                                                                                                                                                                                                                                                      Entropy (8bit):0.6583976768541445
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:1536:ZSB2ESB2SSjlK/AxrO1T1B0CZSJWYkr3g16n2UPkLk+kdbI/0uznv0M1Dn/didMV:Zaza6xhzA2U8HDnAPZ4PZf9h/9h
                                                                                                                                                                                                                                                                      MD5:7A0ABB4147D12834439BB287FC247C66
                                                                                                                                                                                                                                                                      SHA1:3134AEA6B37224962343913EC008F6FC31FEE199
                                                                                                                                                                                                                                                                      SHA-256:3C36F20B1A04FF691191703EA4AE27BAE374C4AEF41F445085D78FEEA1A1076F
                                                                                                                                                                                                                                                                      SHA-512:507AB2085AECFF33311286BED769824A0A59E58BD797954C21A482744B9CBAD5F4C56FA4734DAAFE4C301C4F6A9C7A52DA42A6F1BC05419EC6A0E7AF3506A4E1
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Preview:....... ...............X\...;...{......................T.~..........|..-....|..h.|..........|..T.~.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{....................................2......|.....................u.....|...........................#......T.~.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\freebl3.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):685392
                                                                                                                                                                                                                                                                      Entropy (8bit):6.872871740790978
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                                                                                                      MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                                                                                                      SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                                                                                                      SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                                                                                                      SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                                                                      • Filename: 1So9BcQi1J.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: Tii6ue74NB.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: AWrVzd6XpC.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: ZXVcgrmGRM.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: D2Cw8gWOXj.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: random.exe.7.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: random.exe.6.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: stealc_default2.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: V65xPrgEHH.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\mozglue.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):608080
                                                                                                                                                                                                                                                                      Entropy (8bit):6.833616094889818
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                                                                                                      MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                                                                                                      SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                                                                                                      SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                                                                                                      SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\msvcp140.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):450024
                                                                                                                                                                                                                                                                      Entropy (8bit):6.673992339875127
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                                                                                                      MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                                                                                                      SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                                                                                                      SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                                                                                                      SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\nss3.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2046288
                                                                                                                                                                                                                                                                      Entropy (8bit):6.787733948558952
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                                                                                                      MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                                                                                                      SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                                                                                                      SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                                                                                                      SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\softokn3.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):257872
                                                                                                                                                                                                                                                                      Entropy (8bit):6.727482641240852
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                                                                                                      MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                                                                                                      SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                                                                                                      SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                                                                                                      SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\ProgramData\vcruntime140.dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):80880
                                                                                                                                                                                                                                                                      Entropy (8bit):6.920480786566406
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                                                                                                      MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                                                                                                      SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                                                                                                      SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                                                                                                      SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9c439e52050a49e0875bf199b254f370.exe.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe
                                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):4017
                                                                                                                                                                                                                                                                      Entropy (8bit):5.365271649872934
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:96:iqbYqGSI6ou/fmOYqSqtzHeqKksvoqdqZ4UqqI9m1RWQvqh:iqbYqGcn/uHqXtzHeqKksvoqdqZrqqxQ
                                                                                                                                                                                                                                                                      MD5:5AE8E4F3A04541A6E49A025DC877C086
                                                                                                                                                                                                                                                                      SHA1:7369D60293F7DEEC11B8181B5E527148CE7F2F5F
                                                                                                                                                                                                                                                                      SHA-256:5262E4D29ECBC33479F0F64EC5F90AEC90055A3FC90DAAC8DDFAF7B30E5336B0
                                                                                                                                                                                                                                                                      SHA-512:FDDCB3BE9DF19ABD547A53BE3F6202DFBDBD94A362EC5D03ECC083846E75467C54682C769F41B2E99D95CD49F6F662D03B2A890FC764765EE975172088BB8F88
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\95a5c1baa004b986366d34856f0a5a75\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ef4e808cb158d79ab9a2b049f8fab733\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2fc1eb1411.exe.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe
                                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):226
                                                                                                                                                                                                                                                                      Entropy (8bit):5.360398796477698
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                                                                                                                                                                                                                                      MD5:3A8957C6382192B71471BD14359D0B12
                                                                                                                                                                                                                                                                      SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                                                                                                                                                                                                                                      SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                                                                                                                                                                                                                                      SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3494904393.exe.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe
                                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                                      Size (bytes):1058
                                                                                                                                                                                                                                                                      Entropy (8bit):5.356262093008712
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:ML9E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4KzeR:MxHKlYHKh3owH8tHo6hAHKzeR
                                                                                                                                                                                                                                                                      MD5:B2EFBF032531DD2913F648E75696B0FD
                                                                                                                                                                                                                                                                      SHA1:3F1AC93E4C10AE6D48E6CE1745D23696FD6554F6
                                                                                                                                                                                                                                                                      SHA-256:4E02B680F9DAB8F04F2443984B5305541F73B52A612129FCD8CC0C520C831E4B
                                                                                                                                                                                                                                                                      SHA-512:79430DB7C12536BDC06F21D130026A72F97BB03994CE2F718F82BB9ACDFFCA926F1292100B58B0C788BDDF739E87965B8D46C8F003CF5087F75BEFDC406295BC
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ebfedd813b.exe.log

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1216
                                                                                                                                                                                                                                                                      Entropy (8bit):5.34331486778365
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                                                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                                                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                                                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                                                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0f1012a1-9a67-4dc7-95e7-af3cf3195a57.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):44628
                                                                                                                                                                                                                                                                      Entropy (8bit):6.095592488492354
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kkB9wu0hDO6vP6O39u1/JQ7lDkVacGoup1Xl3jVzXr2:z/Ps+wsI7ynED6XUuchu3VlXr4CRo1
                                                                                                                                                                                                                                                                      MD5:BC8182AB5613F6231F1A46FB7C3AF122
                                                                                                                                                                                                                                                                      SHA1:41FC537E5172284F24870F106F24EDFAA1D2A0C8
                                                                                                                                                                                                                                                                      SHA-256:E0A904EE76EB67671819B5234BB440E18C027622111D77B438A5DC22DB9D9EE2
                                                                                                                                                                                                                                                                      SHA-512:7DB06B278CE2267C971EF1F9CFD445566DAA64B7C90C314C069672B09F0EDAE8946691CD02E6C5A9A6FF883E652781C3A31E0B65F696B2ACFADA505E61C47F25
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\5d5b2083-6644-40c1-aa28-403141127c74.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):44137
                                                                                                                                                                                                                                                                      Entropy (8bit):6.090708692820131
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kkBMewuF9hDO6vP6O+Ptbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEo6utbz8hu3VlXr4CRo1
                                                                                                                                                                                                                                                                      MD5:8978E28B25E3B8A3ECA85411660FDA1C
                                                                                                                                                                                                                                                                      SHA1:3246E79E35E545F2705A8BB9249F28550BE7ADEB
                                                                                                                                                                                                                                                                      SHA-256:E31276FD7F8556A8440847F23ACA0351EC73BCBCD2F1BAD1FF33AB365B18E291
                                                                                                                                                                                                                                                                      SHA-512:3CE40725D3ED586C37CA8E337D55BBC867456DB248305F4FE3C137003856F03D82D8A50B6DBBAA6EACDCB63AF5FFB2A755D6416368FE3350CE0011DB4A980A7E
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):280
                                                                                                                                                                                                                                                                      Entropy (8bit):3.0461987566804245
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:FiWWltlApdeXKe/wBVP/Sh/JzvPWVcRVEVg3WWD54llt:o1ApdeaOwBVsJDu2ziy54/
                                                                                                                                                                                                                                                                      MD5:02782FAC29D38EA69C940C2449D80718
                                                                                                                                                                                                                                                                      SHA1:86A6D7B6E557423CA0599FA2D08B84423E8133E2
                                                                                                                                                                                                                                                                      SHA-256:AD698E12C3D7A76B1B1B6CA32F37B706F15440EC8FFBF7C8BF8CCDB418F2E36F
                                                                                                                                                                                                                                                                      SHA-512:C4279E8454F0266CFE47854F66F58C40850CD8C4F17BC4C00EFA925CF2F6B034B12DC9CF3CF5130F2F0A24B1AF0258BBF1123E785148B16D3D0256EE2F9BEF2C
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:sdPC......................X..<EE..r/y...................................................................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................fdb35e9f-12f5-40d5-8d50-87a9333d43a4............

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):13
                                                                                                                                                                                                                                                                      Entropy (8bit):2.7192945256669794
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:NYLFRQI:ap2I
                                                                                                                                                                                                                                                                      MD5:BF16C04B916ACE92DB941EBB1AF3CB18
                                                                                                                                                                                                                                                                      SHA1:FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
                                                                                                                                                                                                                                                                      SHA-256:7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
                                                                                                                                                                                                                                                                      SHA-512:F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:117.0.2045.47

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):44137
                                                                                                                                                                                                                                                                      Entropy (8bit):6.090708692820131
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kkBMewuF9hDO6vP6O+Ptbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEo6utbz8hu3VlXr4CRo1
                                                                                                                                                                                                                                                                      MD5:8978E28B25E3B8A3ECA85411660FDA1C
                                                                                                                                                                                                                                                                      SHA1:3246E79E35E545F2705A8BB9249F28550BE7ADEB
                                                                                                                                                                                                                                                                      SHA-256:E31276FD7F8556A8440847F23ACA0351EC73BCBCD2F1BAD1FF33AB365B18E291
                                                                                                                                                                                                                                                                      SHA-512:3CE40725D3ED586C37CA8E337D55BBC867456DB248305F4FE3C137003856F03D82D8A50B6DBBAA6EACDCB63AF5FFB2A755D6416368FE3350CE0011DB4A980A7E
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF54a9d.TMP (copy)

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):44137
                                                                                                                                                                                                                                                                      Entropy (8bit):6.090708692820131
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kkBMewuF9hDO6vP6O+Ptbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEo6utbz8hu3VlXr4CRo1
                                                                                                                                                                                                                                                                      MD5:8978E28B25E3B8A3ECA85411660FDA1C
                                                                                                                                                                                                                                                                      SHA1:3246E79E35E545F2705A8BB9249F28550BE7ADEB
                                                                                                                                                                                                                                                                      SHA-256:E31276FD7F8556A8440847F23ACA0351EC73BCBCD2F1BAD1FF33AB365B18E291
                                                                                                                                                                                                                                                                      SHA-512:3CE40725D3ED586C37CA8E337D55BBC867456DB248305F4FE3C137003856F03D82D8A50B6DBBAA6EACDCB63AF5FFB2A755D6416368FE3350CE0011DB4A980A7E
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF54adb.TMP (copy)

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):44137
                                                                                                                                                                                                                                                                      Entropy (8bit):6.090708692820131
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kkBMewuF9hDO6vP6O+Ptbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEo6utbz8hu3VlXr4CRo1
                                                                                                                                                                                                                                                                      MD5:8978E28B25E3B8A3ECA85411660FDA1C
                                                                                                                                                                                                                                                                      SHA1:3246E79E35E545F2705A8BB9249F28550BE7ADEB
                                                                                                                                                                                                                                                                      SHA-256:E31276FD7F8556A8440847F23ACA0351EC73BCBCD2F1BAD1FF33AB365B18E291
                                                                                                                                                                                                                                                                      SHA-512:3CE40725D3ED586C37CA8E337D55BBC867456DB248305F4FE3C137003856F03D82D8A50B6DBBAA6EACDCB63AF5FFB2A755D6416368FE3350CE0011DB4A980A7E
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):85
                                                                                                                                                                                                                                                                      Entropy (8bit):4.3488360343066725
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:YQ3JYq9xSs0dMEJAELJ25AmIpozQw:YQ3Kq9X0dMgAEiLI2
                                                                                                                                                                                                                                                                      MD5:265DB1C9337422F9AF69EF2B4E1C7205
                                                                                                                                                                                                                                                                      SHA1:3E38976BB5CF035C75C9BC185F72A80E70F41C2E
                                                                                                                                                                                                                                                                      SHA-256:7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
                                                                                                                                                                                                                                                                      SHA-512:3CC9B76D8D4B6EDB4C41677BE3483AC37785F3BBFEA4489F3855433EBF84EA25FC48EFEE9B74CAB268DC9CB7FB4789A81C94E75C7BF723721DE28AEF53D8B529
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":2}

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\abebfefb-e863-497e-8afd-43f86056dd1c.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                                      Size (bytes):44628
                                                                                                                                                                                                                                                                      Entropy (8bit):6.095592488492354
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kkB9wu0hDO6vP6O39u1/JQ7lDkVacGoup1Xl3jVzXr2:z/Ps+wsI7ynED6XUuchu3VlXr4CRo1
                                                                                                                                                                                                                                                                      MD5:BC8182AB5613F6231F1A46FB7C3AF122
                                                                                                                                                                                                                                                                      SHA1:41FC537E5172284F24870F106F24EDFAA1D2A0C8
                                                                                                                                                                                                                                                                      SHA-256:E0A904EE76EB67671819B5234BB440E18C027622111D77B438A5DC22DB9D9EE2
                                                                                                                                                                                                                                                                      SHA-512:7DB06B278CE2267C971EF1F9CFD445566DAA64B7C90C314C069672B09F0EDAE8946691CD02E6C5A9A6FF883E652781C3A31E0B65F696B2ACFADA505E61C47F25
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\json[1].json

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):450
                                                                                                                                                                                                                                                                      Entropy (8bit):5.300117352760911
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12:MVBX8QNJBiROpUHuguG7UqqbgxH1KYpm4k7OpUHu3:OBfNaoCHuTG7Uqi4H17dCHu3
                                                                                                                                                                                                                                                                      MD5:80FAC6FFC34385EF485EE3DC62C7F748
                                                                                                                                                                                                                                                                      SHA1:0F3214DD9654E067EA854E7DDCB4FE3CE3053CB5
                                                                                                                                                                                                                                                                      SHA-256:1B5859B9D01650B1877618F3B03F9564B32F7B1B809C5819265BB70BB13188C2
                                                                                                                                                                                                                                                                      SHA-512:42253C446E37C73326B6A81337B2DB73E18449E2FDC613A7E832CEA339B65298AB651A07E705585D994D29F1389FE608C19EBC3912774AB0EE8C5FCCE19F2D53
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/ABE5D14DCF6B3EE681038727AA795480",.. "faviconUrl": "https://assets.msn.com/statics/icons/favicon_newtabpage.png",.. "id": "ABE5D14DCF6B3EE681038727AA795480",.. "title": "New tab",.. "type": "page",.. "url": "edge://newtab/",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/ABE5D14DCF6B3EE681038727AA795480"..} ]..

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):22016
                                                                                                                                                                                                                                                                      Entropy (8bit):5.338206717136569
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:78HIRrJs1HLBDhq5RWBNBlBThtq2uoyLizwxeNLHdWuNMV275RtAcL8SFS69rvwM:Qqls1HLBDhIRWbXlq2uVk75RuSFSm6EJ
                                                                                                                                                                                                                                                                      MD5:04F57C6FB2B2CD8DCC4B38E4A93D4366
                                                                                                                                                                                                                                                                      SHA1:61770495AA18D480F70B654D1F57998E5BD8C885
                                                                                                                                                                                                                                                                      SHA-256:51E4D0CBC184B8ABFA6D84E219317CF81BD542286A7CC602C87EB703A39627C2
                                                                                                                                                                                                                                                                      SHA-512:53F95E98A5ECA472ED6B1DFD6FECD1E28EA66967A1B3AA109FE911DBB935F1ABF327438D4B2FE72CF7A0201281E9F56F4548F965B96E3916B9142257627E6CCD
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 18%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.7..........."...0..L...........j... ........@.. ....................................`.................................<j..O....................................i..8............................................ ............... ..H............text....J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................pj......H.......(7...2...........................................................0..8.......s/.....(....} .....}!.....}.....| .....(...+.| ...(....*.0..P........~.........,B.r...p(.....r...p(.....(.....r...p.(....(......(....o......(......*.0..8.......s2.....(....}(.....}).....}'....|(.....(...+.|(...(....*.0..H........s......./......+....~.....~.....io.........X.......-.r...p.(......+...*.0............r...p( ...o!....+..*...0............r...p( ...o!....+..*...0..2.........r...pr...p

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2817024
                                                                                                                                                                                                                                                                      Entropy (8bit):6.502583084865015
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:M7ElLg4wLHnisqQk6Oeq/s+RYoL+w3moQsKDURHr9:M7El07EQkdeqFRYCz3moQzDuL9
                                                                                                                                                                                                                                                                      MD5:27D1C23073BBF3BE2092A18AB4CF9818
                                                                                                                                                                                                                                                                      SHA1:CC101A86E9519506179C51B3FE675A52A701C6BE
                                                                                                                                                                                                                                                                      SHA-256:FBE50F1EE3463F3B76126739B438AF49EDD32FCE2B636F57A9741B1689160C8B
                                                                                                                                                                                                                                                                      SHA-512:AE692D5679119EA1E07832A2ABC2ACC3B58E76BF6BAA1CD43CB0AF30EA0AAC684DB9C53B0CE8AFCCAEC5FDFFCBED0254FD4F8D7C20B32C00EB3F53C839FBED5A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@+.. ...`....@.. ........................+.....\.+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...ehjhpitf..*......n*..h..............@...ijjaccto. ... +.......*.............@....taggant.@...@+.."....*.............@...................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):3286016
                                                                                                                                                                                                                                                                      Entropy (8bit):7.310046848182974
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:yla31k0wuMKWrJSYQTdfjfkn46z2jnVGd7jyy7qaJJR0BmXSyYO3:yla3/tS4K2jnVGRjHLJfV
                                                                                                                                                                                                                                                                      MD5:C00A67D527EF38DC6F49D0AD7F13B393
                                                                                                                                                                                                                                                                      SHA1:7B8F2DE130AB5E4E59C3C2F4A071BDA831AC219D
                                                                                                                                                                                                                                                                      SHA-256:12226CCAE8C807641241BA5178D853AAD38984EEFB0C0C4D65ABC4DA3F9787C3
                                                                                                                                                                                                                                                                      SHA-512:9286D267B167CBA01E55E68C8C5582F903BED0DD8BC4135EB528EF6814E60E7D4DDA2B3611E13EFB56AA993635FBAB218B0885DAF5DAEA6043061D8384AF40CA
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[3].exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 54%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....V...............P.../..Z......../.. ....0...@.. ........................2...........@.................................../.K.....0.@W...................`2.....3./.............................................. ............... ..H............text...../.. ..../................. ..`.rsrc...@W....0..X..../.............@..@.reloc.......`2......"2.............@..B................../.....H...........@.......C...@...z.*.........................................6+.(B.99(....*..:+.(.^A.(!...*.....*....(*...*.....*.......*.......*....(*...*..0..........(*...8y.......E....c...O.../...8^...s......... .....:....&8....s.........8....s......... .....9....& ....8....s......... ....8....*s.........8.......0.............*.0.............*.0.............*.0.............*.0.............*....*.......*....0.............*.0.............*....*....0.............*....*...".......

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[4].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):810496
                                                                                                                                                                                                                                                                      Entropy (8bit):7.808597434734726
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:grtEhokkSG4bPWQ8C8z3zcB49CNPWQ8C8z3zcB49Cx:grGhokkSG4bPWQv8z3BYNPWQv8z3BYx
                                                                                                                                                                                                                                                                      MD5:E8AF4D0D0B47AC68D762B7F288AE8E6E
                                                                                                                                                                                                                                                                      SHA1:1D65F31526CC20AB41D6B1625D6674D7F13E326C
                                                                                                                                                                                                                                                                      SHA-256:B83449768E7AF68867C8BC42B19FF012722D88EA66AEF69DF48661E63E0EB15E
                                                                                                                                                                                                                                                                      SHA-512:80FAD90314FF639F538A72C5E4CA2BF9AE52B9309CAA7CD6F87D61791505BB3612B7F3190AB9B67348C5D71F4D29BB9D101E3F66D525EB9B5E2060A10B2D187A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 67%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....^g.........."......f........................@.......................................@.....................................P....p..........................x...........................x.......................`...|............................text...md.......f.................. ..`.rdata..............n..............@..@.data...,%... ......................@....CODE........P....... .............. ..`.tls.........`.......0..............@....rsrc........p.......2..............@..@.reloc..x............4..............@..B.bss.................R..............@....bss.........0......................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1885696
                                                                                                                                                                                                                                                                      Entropy (8bit):7.9502129539309525
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:xygWjRQ3HLL/piTRSyEvGqpGl3Ao1cVPeb3ymHw2NG:ggrHpi8yhqclT1vtN
                                                                                                                                                                                                                                                                      MD5:25FB9C54265BBACC7A055174479F0B70
                                                                                                                                                                                                                                                                      SHA1:4AF069A2EC874703A7E29023D23A1ADA491B584E
                                                                                                                                                                                                                                                                      SHA-256:552F8BE2C6B2208A89C728F68488930C661B3A06C35A20D133EF7D3C63A86B9C
                                                                                                                                                                                                                                                                      SHA-512:7DFD9E0F3FA2D68A6CE8C952E3B755559DB73BB7A06C95AD6ED8AC16DEDB49BE8B8337AFC07C9C682F0C4BE9DB291A551286353E2E2B624223487DC1C8B54668
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..............................J...........@...........................J.....%-....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..*..@.......\..............@...uzxdwyvi.P... 0..B...^..............@...efzdldig.....pJ.....................@....taggant.0....J.."..................@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):970240
                                                                                                                                                                                                                                                                      Entropy (8bit):6.702836450851498
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8aLpAZqZJ:5TvC/MTQYxsWR7aLmZqZ
                                                                                                                                                                                                                                                                      MD5:134E8ED7546996583F248F49C87D99A2
                                                                                                                                                                                                                                                                      SHA1:7998F64C61662137E5ED3F0DBBE88DAC493AD95C
                                                                                                                                                                                                                                                                      SHA-256:99EAD08700A6DB4F3D6FBC4DD6E9435A32E4D0BF168E241C46E34CEF8620CECD
                                                                                                                                                                                                                                                                      SHA-512:CC08EFC2721FD49E971AF55F3ED05114B9D9FE3EE51ECC7EF7ED2F9299A8A46E7FBFEB9CBAF6388079F00098C8B101D73B760FE843A70A8F0A63910DF75E4D0A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....dg..........".................w.............@..........................0......Bx....@...@.......@.....................d...|....@...b.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....b...@...d..................@..@.reloc...u.......v...X..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[3].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):21504
                                                                                                                                                                                                                                                                      Entropy (8bit):5.336742061370928
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:JiynHMEyyp/He7ik+KcJB669mNPBqVgYERHtNNVYISZS1d7RroV5:PHvtm7ik+KcJB6jRHkISZShkn
                                                                                                                                                                                                                                                                      MD5:14BECDF1E2402E9AA6C2BE0E6167041E
                                                                                                                                                                                                                                                                      SHA1:72CBBAE6878F5E06060A0038B25EDE93B445F0DF
                                                                                                                                                                                                                                                                      SHA-256:7A769963165063758F15F6E0CECE25C9D13072F67FA0D3C25A03A5104FE0783A
                                                                                                                                                                                                                                                                      SHA-512:16B837615505F352E134AFD9D8655C9CABFA5BFCFBEE2C0C34F2D7D9588AA71F875E4E5FEB8CDF0F7BACC00F7C1CA8DABD3B3D92AFC99ABF705C05C78E298B4A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 54%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...pm;..........."...0..J..........:i... ........@.. ....................................`..................................h..O...................................Th..8............................................ ............... ..H............text...@I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................i......H........6..p1...........................................................0..8.......s2.....(....}<.....}=.....};....|<.....(...+.|<...(....*.0..P........~.........,B.r...p(.....rc..p(.....(.....r...p.(....(......(....o......(......*.0..8.......s,.....(....}......}......}.....|......(...+.|....(....*.0..H........s......./......+....~.....~.....io.........X.......-.r...p.(......+...*.0............r...p( ...o!....+..*...0............r...p( ...o!....+..*...0..2.........r...pr...p

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[4].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):4470784
                                                                                                                                                                                                                                                                      Entropy (8bit):7.98631408508455
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:98304:n2HUae1lrFMtxO8BIfxMw4Azf21lpvXpnmD7ElhvpJdOXyDvTn:7/MDO9fxMSC1lpvXikkkvTn
                                                                                                                                                                                                                                                                      MD5:A662856DF913178C0E54B194AFE4DD2B
                                                                                                                                                                                                                                                                      SHA1:5CC4318E946E1A6F9625019D9E5150E480AEB2BF
                                                                                                                                                                                                                                                                      SHA-256:F7B0783FDB5C0E335976B3F4BAA43D8E76925AE478F341200C9474F1126ED7CB
                                                                                                                                                                                                                                                                      SHA-512:0E87B88F79B1F2B68EA907E9975979F587EC5C0451001B5404E4CC44EBC2E1072AE2F9B297E2A44A51D458622F076A2512265C8F48FE9BCD05626D17B2ABC9DE
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...`.......pH...@.................................O.D...@... ............................._pt.s....`t......................N...............................M...................................................... . .Pt......L(.................@....rsrc........`t......\(.............@....idata .....pt......^(.............@... . 9...t......`(.............@...pgbzfndf.............b(.............@...xfbmxldi.....P........D.............@....taggant.0...`..."....D.............@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):685392
                                                                                                                                                                                                                                                                      Entropy (8bit):6.872871740790978
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                                                                                                      MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                                                                                                      SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                                                                                                      SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                                                                                                      SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):608080
                                                                                                                                                                                                                                                                      Entropy (8bit):6.833616094889818
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                                                                                                      MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                                                                                                      SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                                                                                                      SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                                                                                                      SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):450024
                                                                                                                                                                                                                                                                      Entropy (8bit):6.673992339875127
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                                                                                                      MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                                                                                                      SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                                                                                                      SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                                                                                                      SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2046288
                                                                                                                                                                                                                                                                      Entropy (8bit):6.787733948558952
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                                                                                                      MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                                                                                                      SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                                                                                                      SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                                                                                                      SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1800704
                                                                                                                                                                                                                                                                      Entropy (8bit):7.947640823884506
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:Zl78yuxW3WLrcjKsLhJahTiN5yhwNPb6jQVBT5q:Zu/xWGQKsLbSaIiNjSAW
                                                                                                                                                                                                                                                                      MD5:3647AF905F92B479113300608444F101
                                                                                                                                                                                                                                                                      SHA1:84E4D4C7BEDA95176AD3DDFCF10169F7DA8E2BEA
                                                                                                                                                                                                                                                                      SHA-256:6EB4D74F0C7CF5780099F4DA5EA6F57C0648AD552888F7ACCF0C5251AE27BCAC
                                                                                                                                                                                                                                                                      SHA-512:4CDEDDE69EC6D8EC92FFAF2CE4E5CC6ED39A954672D88F548ED8F7AD80F44BF875725EBF8593E1440CC939860E0E3F09E4E13092FB59F4A5A8600B8CE5167BB7
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................0G...........@..........................`G.....0.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..(..@.......\..............@...ijtgtnqw..... .......^..............@...jumutqrp..... G......T..............@....taggant.0...0G.."...X..............@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[2].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1928704
                                                                                                                                                                                                                                                                      Entropy (8bit):7.94324154252622
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:rTMq5MIQ0Tqibh61R5agdp707srnnouWcbxdt+ogki:nMq5M3iwR5agdiSnnoybbt+J
                                                                                                                                                                                                                                                                      MD5:4E341A5E65522DC7AD83BAB52F3E60F8
                                                                                                                                                                                                                                                                      SHA1:D3A1D76710068D38CD35ED908C0677263F5D97E9
                                                                                                                                                                                                                                                                      SHA-256:9AFAD313FDB3A41015EC415280986B4D596B1DC07BCC46B49F5BEE6FCF5FB54C
                                                                                                                                                                                                                                                                      SHA-512:27C41EDDED8E29F87BE28BB93E86AE26129F28A63134235FA38493909BEF08B2559B0DA1BD03C4E2856B7CC6DBD2174650E7E3634F015E9F600F25BAB4A4D3AC
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@.......p............@.........................................................................[.A.o.....@.....................................................\...................................................... . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... .P)...A.....................@...bpztmzrt......j..v..................@...skyqimte.....`.......H..............@....taggant.0...p..."...L..............@...........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[3].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1880576
                                                                                                                                                                                                                                                                      Entropy (8bit):7.947827107801024
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:ZRGDbjz7g+LRMpnd6dc8dwpW+8cYsjL1i:ZRGDrky0nd6dcmUT8AjL1i
                                                                                                                                                                                                                                                                      MD5:FF279F4E5B1C6FBDA804D2437C2DBDC8
                                                                                                                                                                                                                                                                      SHA1:2FEB3762C877A5AE3CA60EEEBC37003AD0844245
                                                                                                                                                                                                                                                                      SHA-256:E115298AB160DA9C7A998E4AE0B72333F64B207DA165134CA45EB997A000D378
                                                                                                                                                                                                                                                                      SHA-512:C7A8BBCB122B2C7B57C8B678C5EED075EE5E7C355AFBF86238282D2D3458019DA1A8523520E1A1C631CD01B555F7DF340545FD1E44AD678DC97C40B23428F967
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 81%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................0J...........@..........................`J.....i.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..*..@.......\..............@...xnuzvlhe.0..../......^..............@...tzuttanx..... J.....................@....taggant.0...0J.."..................@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[4].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):4438776
                                                                                                                                                                                                                                                                      Entropy (8bit):7.99505709582503
                                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                                      SSDEEP:98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
                                                                                                                                                                                                                                                                      MD5:3A425626CBD40345F5B8DDDD6B2B9EFA
                                                                                                                                                                                                                                                                      SHA1:7B50E108E293E54C15DCE816552356F424EEA97A
                                                                                                                                                                                                                                                                      SHA-256:BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
                                                                                                                                                                                                                                                                      SHA-512:A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[5].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1374720
                                                                                                                                                                                                                                                                      Entropy (8bit):7.0671827674657335
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:fYlZH+uQDPYLZtPikfLyXFD3qRc4f6GO4k88P9VB77Ml8fmMxHr:fYu7DPYLZtakzyVD3ELCh//+8fmW
                                                                                                                                                                                                                                                                      MD5:669ED3665495A4A52029FF680EC8EBA9
                                                                                                                                                                                                                                                                      SHA1:7785E285365A141E307931CA4C4EF00B7ECC8986
                                                                                                                                                                                                                                                                      SHA-256:2D2D405409B128EEA72A496CCFF0ED56F9ED87EE2564AE4815B4B116D4FB74D6
                                                                                                                                                                                                                                                                      SHA-512:BEDC8F7C1894FC64CDD00EBC58B434B7D931E52C198A0FA55F16F4E3D44A7DC4643EAA78EC55A43CC360571345CD71D91A64037A135663E72EED334FE77A21E6
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 28%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h.D..........&....&..........................@..........................p......\U....@... ..............................P..........,l.......................c...................................................T...............................text...............................`..`.data...H...........................@....rdata..............................@..@.eh_fram............p..............@..@.bss....4....@...........................idata.......P......................@....CRT....8....p.......$..............@....tls.................&..............@....rsrc...,l.......n...(..............@..@.reloc...c.......d..................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):257872
                                                                                                                                                                                                                                                                      Entropy (8bit):6.727482641240852
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                                                                                                      MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                                                                                                      SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                                                                                                      SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                                                                                                      SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):80880
                                                                                                                                                                                                                                                                      Entropy (8bit):6.920480786566406
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                                                                                                      MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                                                                                                      SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                                                                                                      SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                                                                                                      SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):3581
                                                                                                                                                                                                                                                                      Entropy (8bit):5.395971367557378
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:96:6NnCmHCNNnC/YbCMNnCKq89CK/NnCRdgECINnCzivioCzijNnC85IdDC8gNnCUwx:6NGNJNpqS/NijNyivi5ijNnidLgNFtNe
                                                                                                                                                                                                                                                                      MD5:B1ACB08A4F1ADBAB65532754B3ED4F8C
                                                                                                                                                                                                                                                                      SHA1:115E3123DC4DA726E34295AD9FFB3F8288A55D31
                                                                                                                                                                                                                                                                      SHA-256:64D532D967DC4ABA8AE313D459DF5D4B23DCB246D6CB603D028D81545C492829
                                                                                                                                                                                                                                                                      SHA-512:81AA9E021A0B3CA905D60EE3727C9B1A3FF00BE3A208E3583358FFB1607768F51CBD62380E10D14CD1A7559FB873BE4F26DD17ADC30B3B92B3AA2FD03F197E13
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/13BE5BE9622C4CFC13C070C93BF80D57",.. "id": "13BE5BE9622C4CFC13C070C93BF80D57",.. "title": "Microsoft Voices",.. "type": "background_page",.. "url": "chrome-extension://jdiccldimpdaibmpdkjnbmckianbfold/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/13BE5BE9622C4CFC13C070C93BF80D57"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/E78C396DC83019CAE2FCA9B233CAF477",.. "id": "E78C396DC83019CAE2FCA9B233CAF477",.. "title": "WebRTC Internals Extension",.. "type": "background_page",.. "url": "chrome-extension://ncbjelpjchkpbikbpkcchkhkblodoama/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/E78C396DC83019CAE2FCA9B233CAF477"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):776832
                                                                                                                                                                                                                                                                      Entropy (8bit):7.859727158445845
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:smOcxtujRwuweJH9RKC6cmulcfJbBiv0W6NLtXcgAuuweJH9RKC6cmulcfJbBivj:pG+XeJH9Rp6RtfNLtMmXeJH9Rp6RtfN8
                                                                                                                                                                                                                                                                      MD5:AFD936E441BF5CBDB858E96833CC6ED3
                                                                                                                                                                                                                                                                      SHA1:3491EDD8C7CAF9AE169E21FB58BCCD29D95AEFEF
                                                                                                                                                                                                                                                                      SHA-256:C6491D7A6D70C7C51BACA7436464667B4894E4989FA7C5E05068DDE4699E1CBF
                                                                                                                                                                                                                                                                      SHA-512:928C15A1EDA602B2A66A53734F3F563AB9626882104E30EE2BF5106CFD6E08EC54F96E3063F1AB89BF13BE2C8822A8419F5D8EE0A3583A4C479785226051A325
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 68%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@.......................................@..................................7..<...............................@...........................X.......................(9..T............................text............................... ..`.rdata..$...........................@..@.data...l"...P.......>..............@....bsS....S............T.............. ..`.tls.................V..............@....rsrc................X..............@..@.reloc..@............Z..............@..B.bss.................t..............@....bss.........p......................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[2].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2893824
                                                                                                                                                                                                                                                                      Entropy (8bit):6.467685485178008
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:wCbHPu0xIK60PjVzm+w2flaokYLK614FcXh5r6rSSW4OWHiHdq2VDaQJvISnxw3x:w8KwPjURY5sSSW4pi9qwDaxSnIiUN
                                                                                                                                                                                                                                                                      MD5:2854309DFD78A64E325E67004B94ADDF
                                                                                                                                                                                                                                                                      SHA1:78CF19390D1511E03139893C33D11BD2B7BE5D99
                                                                                                                                                                                                                                                                      SHA-256:CA61E922A2E723631B64B8D73B4AF5BC968C5BB29EC1073C2060C11B79F7FA8D
                                                                                                                                                                                                                                                                      SHA-512:FDE2202160B9CFE3EB595D6B6A481B2A8122DA0EF9B7208DE741D2449A20B4E0BBE11F9CDB247A95C567CC40426FFFF0741557F636159A468E9167308EFB0DDF
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(.......`O...........@...........................O......y,...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...uqvrrapw..*...$...*..|..............@...blfuhhpc.....PO.......,.............@....taggant.0...`O.."....,.............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[3].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1114112
                                                                                                                                                                                                                                                                      Entropy (8bit):7.7336985855739355
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:FAu2uOTJr0/sBIpMvVEDvtNNVpk3BLSx+ptEH76duCiheu2:4ugJAGIpMmZNNEBLSx4EHGxiC
                                                                                                                                                                                                                                                                      MD5:EF08A45833A7D881C90DED1952F96CB4
                                                                                                                                                                                                                                                                      SHA1:F04AEEB63A1409BD916558D2C40FAB8A5ED8168B
                                                                                                                                                                                                                                                                      SHA-256:33C236DC81AF2A47D595731D6FA47269B2874B281152530FDFFDDA9CBEB3B501
                                                                                                                                                                                                                                                                      SHA-512:74E84F710C90121527F06D453E9286910F2E8B6AC09D2AEB4AB1F0EAD23EA9B410C5D1074D8BC759BC3E766B5BC77D156756C7DF093BA94093107393290CED97
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 67%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.cg..............0......2........... ........@.. .......................`............@.....................................W.......H/...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H/.......0..................@..@.reloc.......@......................@..B........................H........<..........K.......`p...........................................Y?.F60...5..8....4zc.:.V........N.0...1.....O*.S..~.......I...pR..iI......Pn}...iJ!BH.+o/S..yj...8T'.}....y.I.kD.....'....$.6....}..w[. )...j..[.-..0....|...p....h\..L....R.T.~......b.K.h....".8.s`)...1... ....[i&.9....a?.F..N..~..._.^...Q.....43.L.....@v...x..IB.4...........|......(........~.Y.L.S..;..x.)w...v...:..2.....y.%{3w.)..^..7......@...7..k.H..p}."..%.p....0.g.3....g..

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[4].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1990144
                                                                                                                                                                                                                                                                      Entropy (8bit):7.9520955615384645
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:Da3bNDzsqksE47b1MkhCia2nmiDFikFdlZG0:e3bNfkn4FKia1QL
                                                                                                                                                                                                                                                                      MD5:2DA5C2BBE3A73ECEA269706891E912FA
                                                                                                                                                                                                                                                                      SHA1:CEEE3AF9DC0A4903B2A2C708E3B33A70A417215B
                                                                                                                                                                                                                                                                      SHA-256:FA2A0AA5F11E6C367D0EA66117DCF31086630222D1C2AF5B46A92B7BFE1089F7
                                                                                                                                                                                                                                                                      SHA-512:AE52660BECA7E8A5926C690ED19142E90E688D0DB871C1362D9E72FA40613E786340AFEDBECFF2C5EA4BB68967E5917BC2C4D57DCADF44C69CE98F38102BEF19
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z...)...)...)...(...)...(...)...(...)...(...)...(...)...(...)...(...)...)..)...)...).9.(...).9.)...).9.(...)Rich...)........................PE..L..._{_d...............%.|...^........K...........@...........................L......g....@.................................V...j.......l........................................................................................................... . .........<..................@....rsrc...l............L..............@....idata .............T..............@... ..*..........V..............@...xmsxfkky......1......X..............@...uydpyjdy......K......6..............@....taggant.0....K.."...<..............@...........................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[5].exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):4455936
                                                                                                                                                                                                                                                                      Entropy (8bit):7.985009488298196
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:98304:i5Vhq3obBjDB2C53R1xQuyJul6y09/LuI7/wH8yO1g:8SobpDRB1XyJul6y04W/wH8y+
                                                                                                                                                                                                                                                                      MD5:8664A5A6E958F985735B8A17171550BC
                                                                                                                                                                                                                                                                      SHA1:3DEB8BFCDC32DDF9A678F44C59AA70E3A7F5BB5F
                                                                                                                                                                                                                                                                      SHA-256:FFCC7288342A28C0580BEA142951BF4AC33A3F391D8F9323F9E74293D2817E82
                                                                                                                                                                                                                                                                      SHA-512:ADC1C9BC3AF3A39B066A9231EF6BD9119D48DFF41A4E5BFAC695C40A5D2B9E5E9F4EB6E4779408CD7F22FE0E7E5697D7FA314778864FD13BB321DB3F8D0514B0
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U`g...............(.>D...d..2...........PD...@...................................D...@... ............................._.a.s.....a......................p...............................p...................................................... . .pa......>(.................@....rsrc.........a......N(.............@....idata ......a......P(.............@... .P8...a......R(.............@...biyvevdc............T(.............@...aogmlwgx..............C.............@....taggant.0......."....C.............@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFED7C.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe
                                                                                                                                                                                                                                                                      File Type:PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):36016
                                                                                                                                                                                                                                                                      Entropy (8bit):7.983926499838966
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:768:tCJpXgIqzFJfREOAev/Gp0/XlxqHNxGny8mewtOodJCDz3E:oJ9WR3Aev/20/VxqHNTBfd0D4
                                                                                                                                                                                                                                                                      MD5:A293ABF92B1DE52DF77CBCA7C5D98DF2
                                                                                                                                                                                                                                                                      SHA1:DD342D01A0AFA093092EB544D6D7AD50EFAC6E96
                                                                                                                                                                                                                                                                      SHA-256:FAB35B6046CF4E853CB7FE432850DD29A459576E3C21D8B29B0B06211612B40E
                                                                                                                                                                                                                                                                      SHA-512:C21186913AE669BAB9E6BC5BAFD8EDCA2A89894CF6B86E85D7BC9DD103BF064923201A06E8C7EFDF0ACFF5E3BF0C9CE8D9F0A726C1E4AC8D411BEAD5B3E7ED8D
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:.PNG........IHDR...,...,.....y}.u....pHYs................MiCCPPhotoshop ICC profile..x.SwX...>..e.VB..l.."#....Y....a...@...V....HU...H...(.gA..Z.U\8....}z...........y.....&..j.9R.<:...OH.....H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0.._p..H.....K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0.>.3.o..~..@...z..q.@......qanv.R....B1n..#.....)..4.\,...X..P"M.y.R.D!.....2......w....O.N....l.~.....X.v.@~.-......g42y.......@+..........\...L....D..*.A..............a.D@.$.<.B.......A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ..Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$...N.!%.2I.IkH.H-.S.>..i.L&.m.......

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                                      Size (bytes):2232
                                                                                                                                                                                                                                                                      Entropy (8bit):5.381368395106955
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:JWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//YPUyus:JLHxvIIwLgZ2KRHWLOugQs
                                                                                                                                                                                                                                                                      MD5:3E1B417513D6CFCB3689E05C77D98781
                                                                                                                                                                                                                                                                      SHA1:CDA9250210A8C92349CF3A1D509260EBA54E050F
                                                                                                                                                                                                                                                                      SHA-256:7E86FDBEF5229AD1EA05F984190B0444A129B058E49E492000ECDE7A9E03126D
                                                                                                                                                                                                                                                                      SHA-512:9A595ED4D89E60EFE9E4E9A2FBB0141B1E0FF6561CB2988DE57C51F211BCDA8BFF243A3E8BB926D723847771C08689E91937ABD06CD076421C21B0853AC93AA2
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:@...e.................................:..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):776832
                                                                                                                                                                                                                                                                      Entropy (8bit):7.859727158445845
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:smOcxtujRwuweJH9RKC6cmulcfJbBiv0W6NLtXcgAuuweJH9RKC6cmulcfJbBivj:pG+XeJH9Rp6RtfNLtMmXeJH9Rp6RtfN8
                                                                                                                                                                                                                                                                      MD5:AFD936E441BF5CBDB858E96833CC6ED3
                                                                                                                                                                                                                                                                      SHA1:3491EDD8C7CAF9AE169E21FB58BCCD29D95AEFEF
                                                                                                                                                                                                                                                                      SHA-256:C6491D7A6D70C7C51BACA7436464667B4894E4989FA7C5E05068DDE4699E1CBF
                                                                                                                                                                                                                                                                      SHA-512:928C15A1EDA602B2A66A53734F3F563AB9626882104E30EE2BF5106CFD6E08EC54F96E3063F1AB89BF13BE2C8822A8419F5D8EE0A3583A4C479785226051A325
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 68%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....`g..........".................RY............@.......................................@..................................7..<...............................@...........................X.......................(9..T............................text............................... ..`.rdata..$...........................@..@.data...l"...P.......>..............@....bsS....S............T.............. ..`.tls.................V..............@....rsrc................X..............@..@.reloc..@............Z..............@..B.bss.................t..............@....bss.........p......................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1885696
                                                                                                                                                                                                                                                                      Entropy (8bit):7.9502129539309525
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:xygWjRQ3HLL/piTRSyEvGqpGl3Ao1cVPeb3ymHw2NG:ggrHpi8yhqclT1vtN
                                                                                                                                                                                                                                                                      MD5:25FB9C54265BBACC7A055174479F0B70
                                                                                                                                                                                                                                                                      SHA1:4AF069A2EC874703A7E29023D23A1ADA491B584E
                                                                                                                                                                                                                                                                      SHA-256:552F8BE2C6B2208A89C728F68488930C661B3A06C35A20D133EF7D3C63A86B9C
                                                                                                                                                                                                                                                                      SHA-512:7DFD9E0F3FA2D68A6CE8C952E3B755559DB73BB7A06C95AD6ED8AC16DEDB49BE8B8337AFC07C9C682F0C4BE9DB291A551286353E2E2B624223487DC1C8B54668
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g..............................J...........@...........................J.....%-....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..*..@.......\..............@...uzxdwyvi.P... 0..B...^..............@...efzdldig.....pJ.....................@....taggant.0....J.."..................@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):22016
                                                                                                                                                                                                                                                                      Entropy (8bit):5.338206717136569
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:78HIRrJs1HLBDhq5RWBNBlBThtq2uoyLizwxeNLHdWuNMV275RtAcL8SFS69rvwM:Qqls1HLBDhIRWbXlq2uVk75RuSFSm6EJ
                                                                                                                                                                                                                                                                      MD5:04F57C6FB2B2CD8DCC4B38E4A93D4366
                                                                                                                                                                                                                                                                      SHA1:61770495AA18D480F70B654D1F57998E5BD8C885
                                                                                                                                                                                                                                                                      SHA-256:51E4D0CBC184B8ABFA6D84E219317CF81BD542286A7CC602C87EB703A39627C2
                                                                                                                                                                                                                                                                      SHA-512:53F95E98A5ECA472ED6B1DFD6FECD1E28EA66967A1B3AA109FE911DBB935F1ABF327438D4B2FE72CF7A0201281E9F56F4548F965B96E3916B9142257627E6CCD
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 18%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.7..........."...0..L...........j... ........@.. ....................................`.................................<j..O....................................i..8............................................ ............... ..H............text....J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................pj......H.......(7...2...........................................................0..8.......s/.....(....} .....}!.....}.....| .....(...+.| ...(....*.0..P........~.........,B.r...p(.....r...p(.....(.....r...p.(....(......(....o......(......*.0..8.......s2.....(....}(.....}).....}'....|(.....(...+.|(...(....*.0..H........s......./......+....~.....~.....io.........X.......-.r...p.(......+...*.0............r...p( ...o!....+..*...0............r...p( ...o!....+..*...0..2.........r...pr...p

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1800704
                                                                                                                                                                                                                                                                      Entropy (8bit):7.947640823884506
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:Zl78yuxW3WLrcjKsLhJahTiN5yhwNPb6jQVBT5q:Zu/xWGQKsLbSaIiNjSAW
                                                                                                                                                                                                                                                                      MD5:3647AF905F92B479113300608444F101
                                                                                                                                                                                                                                                                      SHA1:84E4D4C7BEDA95176AD3DDFCF10169F7DA8E2BEA
                                                                                                                                                                                                                                                                      SHA-256:6EB4D74F0C7CF5780099F4DA5EA6F57C0648AD552888F7ACCF0C5251AE27BCAC
                                                                                                                                                                                                                                                                      SHA-512:4CDEDDE69EC6D8EC92FFAF2CE4E5CC6ED39A954672D88F548ED8F7AD80F44BF875725EBF8593E1440CC939860E0E3F09E4E13092FB59F4A5A8600B8CE5167BB7
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................0G...........@..........................`G.....0.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..(..@.......\..............@...ijtgtnqw..... .......^..............@...jumutqrp..... G......T..............@....taggant.0...0G.."...X..............@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2893824
                                                                                                                                                                                                                                                                      Entropy (8bit):6.467685485178008
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:wCbHPu0xIK60PjVzm+w2flaokYLK614FcXh5r6rSSW4OWHiHdq2VDaQJvISnxw3x:w8KwPjURY5sSSW4pi9qwDaxSnIiUN
                                                                                                                                                                                                                                                                      MD5:2854309DFD78A64E325E67004B94ADDF
                                                                                                                                                                                                                                                                      SHA1:78CF19390D1511E03139893C33D11BD2B7BE5D99
                                                                                                                                                                                                                                                                      SHA-256:CA61E922A2E723631B64B8D73B4AF5BC968C5BB29EC1073C2060C11B79F7FA8D
                                                                                                                                                                                                                                                                      SHA-512:FDE2202160B9CFE3EB595D6B6A481B2A8122DA0EF9B7208DE741D2449A20B4E0BBE11F9CDB247A95C567CC40426FFFF0741557F636159A468E9167308EFB0DDF
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(.......`O...........@...........................O......y,...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...uqvrrapw..*...$...*..|..............@...blfuhhpc.....PO.......,.............@....taggant.0...`O.."....,.............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):970240
                                                                                                                                                                                                                                                                      Entropy (8bit):6.702836450851498
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8aLpAZqZJ:5TvC/MTQYxsWR7aLmZqZ
                                                                                                                                                                                                                                                                      MD5:134E8ED7546996583F248F49C87D99A2
                                                                                                                                                                                                                                                                      SHA1:7998F64C61662137E5ED3F0DBBE88DAC493AD95C
                                                                                                                                                                                                                                                                      SHA-256:99EAD08700A6DB4F3D6FBC4DD6E9435A32E4D0BF168E241C46E34CEF8620CECD
                                                                                                                                                                                                                                                                      SHA-512:CC08EFC2721FD49E971AF55F3ED05114B9D9FE3EE51ECC7EF7ED2F9299A8A46E7FBFEB9CBAF6388079F00098C8B101D73B760FE843A70A8F0A63910DF75E4D0A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....dg..........".................w.............@..........................0......Bx....@...@.......@.....................d...|....@...b.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....b...@...d..................@..@.reloc...u.......v...X..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2817024
                                                                                                                                                                                                                                                                      Entropy (8bit):6.502583084865015
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:M7ElLg4wLHnisqQk6Oeq/s+RYoL+w3moQsKDURHr9:M7El07EQkdeqFRYCz3moQzDuL9
                                                                                                                                                                                                                                                                      MD5:27D1C23073BBF3BE2092A18AB4CF9818
                                                                                                                                                                                                                                                                      SHA1:CC101A86E9519506179C51B3FE675A52A701C6BE
                                                                                                                                                                                                                                                                      SHA-256:FBE50F1EE3463F3B76126739B438AF49EDD32FCE2B636F57A9741B1689160C8B
                                                                                                                                                                                                                                                                      SHA-512:AE692D5679119EA1E07832A2ABC2ACC3B58E76BF6BAA1CD43CB0AF30EA0AAC684DB9C53B0CE8AFCCAEC5FDFFCBED0254FD4F8D7C20B32C00EB3F53C839FBED5A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@+.. ...`....@.. ........................+.....\.+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...ehjhpitf..*......n*..h..............@...ijjaccto. ... +.......*.............@....taggant.@...@+.."....*.............@...................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017983001\f71e300ff9.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1671168
                                                                                                                                                                                                                                                                      Entropy (8bit):7.957359010004932
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:rTMq5MIQ0Tqibh61R5agdp707srnnouWc0:nMq5M3iwR5agdiSnnoy0
                                                                                                                                                                                                                                                                      MD5:A7AB8D3ECF75E852325062CA2BC27972
                                                                                                                                                                                                                                                                      SHA1:174ABC8DBC1E7134895E4C8EE66E217AF2D1C7EE
                                                                                                                                                                                                                                                                      SHA-256:B5CCB12F3729D8BC608D78A4689624344A7A4F57850A3989E47AFDA32735174B
                                                                                                                                                                                                                                                                      SHA-512:FC1A8560EFE50EE99CDB94F81DE9A4187C380D6AA0E41D770A95BDE057011657ECCC8AE9866E27534F16C4F839A3200802260F6E3F1051AD120C2A0E8257083C
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@.......p............@.........................................................................[.A.o.....@.....................................................\...................................................... . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... .P)...A.....................@...bpztmzrt......j..v..................@...skyqimte.....`.......H..............@....taggant.0...p..."...L..............@...........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1114112
                                                                                                                                                                                                                                                                      Entropy (8bit):7.7336985855739355
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:FAu2uOTJr0/sBIpMvVEDvtNNVpk3BLSx+ptEH76duCiheu2:4ugJAGIpMmZNNEBLSx4EHGxiC
                                                                                                                                                                                                                                                                      MD5:EF08A45833A7D881C90DED1952F96CB4
                                                                                                                                                                                                                                                                      SHA1:F04AEEB63A1409BD916558D2C40FAB8A5ED8168B
                                                                                                                                                                                                                                                                      SHA-256:33C236DC81AF2A47D595731D6FA47269B2874B281152530FDFFDDA9CBEB3B501
                                                                                                                                                                                                                                                                      SHA-512:74E84F710C90121527F06D453E9286910F2E8B6AC09D2AEB4AB1F0EAD23EA9B410C5D1074D8BC759BC3E766B5BC77D156756C7DF093BA94093107393290CED97
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 67%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.cg..............0......2........... ........@.. .......................`............@.....................................W.......H/...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H/.......0..................@..@.reloc.......@......................@..B........................H........<..........K.......`p...........................................Y?.F60...5..8....4zc.:.V........N.0...1.....O*.S..~.......I...pR..iI......Pn}...iJ!BH.+o/S..yj...8T'.}....y.I.kD.....'....$.6....}..w[. )...j..[.-..0....|...p....h\..L....R.T.~......b.K.h....".8.s`)...1... ....[i&.9....a?.F..N..~..._.^...Q.....43.L.....@v...x..IB.4...........|......(........~.Y.L.S..;..x.)w...v...:..2.....y.%{3w.)..^..7......@...7..k.H..p}."..%.p....0.g.3....g..

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017985001\1e467b8b46.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1880576
                                                                                                                                                                                                                                                                      Entropy (8bit):7.947827107801024
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:ZRGDbjz7g+LRMpnd6dc8dwpW+8cYsjL1i:ZRGDrky0nd6dcmUT8AjL1i
                                                                                                                                                                                                                                                                      MD5:FF279F4E5B1C6FBDA804D2437C2DBDC8
                                                                                                                                                                                                                                                                      SHA1:2FEB3762C877A5AE3CA60EEEBC37003AD0844245
                                                                                                                                                                                                                                                                      SHA-256:E115298AB160DA9C7A998E4AE0B72333F64B207DA165134CA45EB997A000D378
                                                                                                                                                                                                                                                                      SHA-512:C7A8BBCB122B2C7B57C8B678C5EED075EE5E7C355AFBF86238282D2D3458019DA1A8523520E1A1C631CD01B555F7DF340545FD1E44AD678DC97C40B23428F967
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 81%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................0J...........@..........................`J.....i.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..*..@.......\..............@...xnuzvlhe.0..../......^..............@...tzuttanx..... J.....................@....taggant.0...0J.."..................@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017986001\5dfec4fe99.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1990144
                                                                                                                                                                                                                                                                      Entropy (8bit):7.9520955615384645
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:Da3bNDzsqksE47b1MkhCia2nmiDFikFdlZG0:e3bNfkn4FKia1QL
                                                                                                                                                                                                                                                                      MD5:2DA5C2BBE3A73ECEA269706891E912FA
                                                                                                                                                                                                                                                                      SHA1:CEEE3AF9DC0A4903B2A2C708E3B33A70A417215B
                                                                                                                                                                                                                                                                      SHA-256:FA2A0AA5F11E6C367D0EA66117DCF31086630222D1C2AF5B46A92B7BFE1089F7
                                                                                                                                                                                                                                                                      SHA-512:AE52660BECA7E8A5926C690ED19142E90E688D0DB871C1362D9E72FA40613E786340AFEDBECFF2C5EA4BB68967E5917BC2C4D57DCADF44C69CE98F38102BEF19
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z...)...)...)...(...)...(...)...(...)...(...)...(...)...(...)...(...)...)..)...)...).9.(...).9.)...).9.(...)Rich...)........................PE..L..._{_d...............%.|...^........K...........@...........................L......g....@.................................V...j.......l........................................................................................................... . .........<..................@....rsrc...l............L..............@....idata .............T..............@... ..*..........V..............@...xmsxfkky......1......X..............@...uydpyjdy......K......6..............@....taggant.0....K.."...<..............@...........................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017987001\7bbff7a3a2.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):21504
                                                                                                                                                                                                                                                                      Entropy (8bit):5.336742061370928
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:JiynHMEyyp/He7ik+KcJB669mNPBqVgYERHtNNVYISZS1d7RroV5:PHvtm7ik+KcJB6jRHkISZShkn
                                                                                                                                                                                                                                                                      MD5:14BECDF1E2402E9AA6C2BE0E6167041E
                                                                                                                                                                                                                                                                      SHA1:72CBBAE6878F5E06060A0038B25EDE93B445F0DF
                                                                                                                                                                                                                                                                      SHA-256:7A769963165063758F15F6E0CECE25C9D13072F67FA0D3C25A03A5104FE0783A
                                                                                                                                                                                                                                                                      SHA-512:16B837615505F352E134AFD9D8655C9CABFA5BFCFBEE2C0C34F2D7D9588AA71F875E4E5FEB8CDF0F7BACC00F7C1CA8DABD3B3D92AFC99ABF705C05C78E298B4A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 54%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...pm;..........."...0..J..........:i... ........@.. ....................................`..................................h..O...................................Th..8............................................ ............... ..H............text...@I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................i......H........6..p1...........................................................0..8.......s2.....(....}<.....}=.....};....|<.....(...+.|<...(....*.0..P........~.........,B.r...p(.....rc..p(.....(.....r...p.(....(......(....o......(......*.0..8.......s,.....(....}......}......}.....|......(...+.|....(....*.0..H........s......./......+....~.....~.....io.........X.......-.r...p.(......+...*.0............r...p( ...o!....+..*...0............r...p( ...o!....+..*...0..2.........r...pr...p

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017988001\2dc416cfa5.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):4438776
                                                                                                                                                                                                                                                                      Entropy (8bit):7.99505709582503
                                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                                      SSDEEP:98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
                                                                                                                                                                                                                                                                      MD5:3A425626CBD40345F5B8DDDD6B2B9EFA
                                                                                                                                                                                                                                                                      SHA1:7B50E108E293E54C15DCE816552356F424EEA97A
                                                                                                                                                                                                                                                                      SHA-256:BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
                                                                                                                                                                                                                                                                      SHA-512:A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017989001\4c7aea0d0a.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):4455936
                                                                                                                                                                                                                                                                      Entropy (8bit):7.985009488298196
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:98304:i5Vhq3obBjDB2C53R1xQuyJul6y09/LuI7/wH8yO1g:8SobpDRB1XyJul6y04W/wH8y+
                                                                                                                                                                                                                                                                      MD5:8664A5A6E958F985735B8A17171550BC
                                                                                                                                                                                                                                                                      SHA1:3DEB8BFCDC32DDF9A678F44C59AA70E3A7F5BB5F
                                                                                                                                                                                                                                                                      SHA-256:FFCC7288342A28C0580BEA142951BF4AC33A3F391D8F9323F9E74293D2817E82
                                                                                                                                                                                                                                                                      SHA-512:ADC1C9BC3AF3A39B066A9231EF6BD9119D48DFF41A4E5BFAC695C40A5D2B9E5E9F4EB6E4779408CD7F22FE0E7E5697D7FA314778864FD13BB321DB3F8D0514B0
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....U`g...............(.>D...d..2...........PD...@...................................D...@... ............................._.a.s.....a......................p...............................p...................................................... . .pa......>(.................@....rsrc.........a......N(.............@....idata ......a......P(.............@... .P8...a......R(.............@...biyvevdc............T(.............@...aogmlwgx..............C.............@....taggant.0......."....C.............@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):3286016
                                                                                                                                                                                                                                                                      Entropy (8bit):7.310046848182974
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:yla31k0wuMKWrJSYQTdfjfkn46z2jnVGd7jyy7qaJJR0BmXSyYO3:yla3/tS4K2jnVGRjHLJfV
                                                                                                                                                                                                                                                                      MD5:C00A67D527EF38DC6F49D0AD7F13B393
                                                                                                                                                                                                                                                                      SHA1:7B8F2DE130AB5E4E59C3C2F4A071BDA831AC219D
                                                                                                                                                                                                                                                                      SHA-256:12226CCAE8C807641241BA5178D853AAD38984EEFB0C0C4D65ABC4DA3F9787C3
                                                                                                                                                                                                                                                                      SHA-512:9286D267B167CBA01E55E68C8C5582F903BED0DD8BC4135EB528EF6814E60E7D4DDA2B3611E13EFB56AA993635FBAB218B0885DAF5DAEA6043061D8384AF40CA
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1017990001\101d940598.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 54%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....V...............P.../..Z......../.. ....0...@.. ........................2...........@.................................../.K.....0.@W...................`2.....3./.............................................. ............... ..H............text...../.. ..../................. ..`.rsrc...@W....0..X..../.............@..@.reloc.......`2......"2.............@..B................../.....H...........@.......C...@...z.*.........................................6+.(B.99(....*..:+.(.^A.(!...*.....*....(*...*.....*.......*.......*....(*...*..0..........(*...8y.......E....c...O.../...8^...s......... .....:....&8....s.........8....s......... .....9....& ....8....s......... ....8....*s.........8.......0.............*.0.............*.0.............*.0.............*.0.............*....*.......*....0.............*.0.............*....*....0.............*....*...".......

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017991001\617d9fb7ad.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):4470784
                                                                                                                                                                                                                                                                      Entropy (8bit):7.98631408508455
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:98304:n2HUae1lrFMtxO8BIfxMw4Azf21lpvXpnmD7ElhvpJdOXyDvTn:7/MDO9fxMSC1lpvXikkkvTn
                                                                                                                                                                                                                                                                      MD5:A662856DF913178C0E54B194AFE4DD2B
                                                                                                                                                                                                                                                                      SHA1:5CC4318E946E1A6F9625019D9E5150E480AEB2BF
                                                                                                                                                                                                                                                                      SHA-256:F7B0783FDB5C0E335976B3F4BAA43D8E76925AE478F341200C9474F1126ED7CB
                                                                                                                                                                                                                                                                      SHA-512:0E87B88F79B1F2B68EA907E9975979F587EC5C0451001B5404E4CC44EBC2E1072AE2F9B297E2A44A51D458622F076A2512265C8F48FE9BCD05626D17B2ABC9DE
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...`.......pH...@.................................O.D...@... ............................._pt.s....`t......................N...............................M...................................................... . .Pt......L(.................@....rsrc........`t......\(.............@....idata .....pt......^(.............@... . 9...t......`(.............@...pgbzfndf.............b(.............@...xfbmxldi.....P........D.............@....taggant.0...`..."....D.............@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017992001\e7bd366d99.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):810496
                                                                                                                                                                                                                                                                      Entropy (8bit):7.808597434734726
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:grtEhokkSG4bPWQ8C8z3zcB49CNPWQ8C8z3zcB49Cx:grGhokkSG4bPWQv8z3BYNPWQv8z3BYx
                                                                                                                                                                                                                                                                      MD5:E8AF4D0D0B47AC68D762B7F288AE8E6E
                                                                                                                                                                                                                                                                      SHA1:1D65F31526CC20AB41D6B1625D6674D7F13E326C
                                                                                                                                                                                                                                                                      SHA-256:B83449768E7AF68867C8BC42B19FF012722D88EA66AEF69DF48661E63E0EB15E
                                                                                                                                                                                                                                                                      SHA-512:80FAD90314FF639F538A72C5E4CA2BF9AE52B9309CAA7CD6F87D61791505BB3612B7F3190AB9B67348C5D71F4D29BB9D101E3F66D525EB9B5E2060A10B2D187A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 67%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....^g.........."......f........................@.......................................@.....................................P....p..........................x...........................x.......................`...|............................text...md.......f.................. ..`.rdata..............n..............@..@.data...,%... ......................@....CODE........P....... .............. ..`.tls.........`.......0..............@....rsrc........p.......2..............@..@.reloc..x............4..............@..B.bss.................R..............@....bss.........0......................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017993001\718f24a5dc.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1374720
                                                                                                                                                                                                                                                                      Entropy (8bit):7.0671827674657335
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:fYlZH+uQDPYLZtPikfLyXFD3qRc4f6GO4k88P9VB77Ml8fmMxHr:fYu7DPYLZtakzyVD3ELCh//+8fmW
                                                                                                                                                                                                                                                                      MD5:669ED3665495A4A52029FF680EC8EBA9
                                                                                                                                                                                                                                                                      SHA1:7785E285365A141E307931CA4C4EF00B7ECC8986
                                                                                                                                                                                                                                                                      SHA-256:2D2D405409B128EEA72A496CCFF0ED56F9ED87EE2564AE4815B4B116D4FB74D6
                                                                                                                                                                                                                                                                      SHA-512:BEDC8F7C1894FC64CDD00EBC58B434B7D931E52C198A0FA55F16F4E3D44A7DC4643EAA78EC55A43CC360571345CD71D91A64037A135663E72EED334FE77A21E6
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 28%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h.D..........&....&..........................@..........................p......\U....@... ..............................P..........,l.......................c...................................................T...............................text...............................`..`.data...H...........................@....rdata..............................@..@.eh_fram............p..............@..@.bss....4....@...........................idata.......P......................@....CRT....8....p.......$..............@....tls.................&..............@....rsrc...,l.......n...(..............@..@.reloc...c.......d..................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017994001\98679d2b4b.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):22016
                                                                                                                                                                                                                                                                      Entropy (8bit):5.338206717136569
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:384:78HIRrJs1HLBDhq5RWBNBlBThtq2uoyLizwxeNLHdWuNMV275RtAcL8SFS69rvwM:Qqls1HLBDhIRWbXlq2uVk75RuSFSm6EJ
                                                                                                                                                                                                                                                                      MD5:04F57C6FB2B2CD8DCC4B38E4A93D4366
                                                                                                                                                                                                                                                                      SHA1:61770495AA18D480F70B654D1F57998E5BD8C885
                                                                                                                                                                                                                                                                      SHA-256:51E4D0CBC184B8ABFA6D84E219317CF81BD542286A7CC602C87EB703A39627C2
                                                                                                                                                                                                                                                                      SHA-512:53F95E98A5ECA472ED6B1DFD6FECD1E28EA66967A1B3AA109FE911DBB935F1ABF327438D4B2FE72CF7A0201281E9F56F4548F965B96E3916B9142257627E6CCD
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 18%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.7..........."...0..L...........j... ........@.. ....................................`.................................<j..O....................................i..8............................................ ............... ..H............text....J... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B................pj......H.......(7...2...........................................................0..8.......s/.....(....} .....}!.....}.....| .....(...+.| ...(....*.0..P........~.........,B.r...p(.....r...p(.....(.....r...p.(....(......(....o......(......*.0..8.......s2.....(....}(.....}).....}'....|(.....(...+.|(...(....*.0..H........s......./......+....~.....~.....io.........X.......-.r...p.(......+...*.0............r...p( ...o!....+..*...0............r...p( ...o!....+..*...0..2.........r...pr...p

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017995001\8d966c471d.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1800704
                                                                                                                                                                                                                                                                      Entropy (8bit):7.947640823884506
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:Zl78yuxW3WLrcjKsLhJahTiN5yhwNPb6jQVBT5q:Zu/xWGQKsLbSaIiNjSAW
                                                                                                                                                                                                                                                                      MD5:3647AF905F92B479113300608444F101
                                                                                                                                                                                                                                                                      SHA1:84E4D4C7BEDA95176AD3DDFCF10169F7DA8E2BEA
                                                                                                                                                                                                                                                                      SHA-256:6EB4D74F0C7CF5780099F4DA5EA6F57C0648AD552888F7ACCF0C5251AE27BCAC
                                                                                                                                                                                                                                                                      SHA-512:4CDEDDE69EC6D8EC92FFAF2CE4E5CC6ED39A954672D88F548ED8F7AD80F44BF875725EBF8593E1440CC939860E0E3F09E4E13092FB59F4A5A8600B8CE5167BB7
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g.............................0G...........@..........................`G.....0.....@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..(..@.......\..............@...ijtgtnqw..... .......^..............@...jumutqrp..... G......T..............@....taggant.0...0G.."...X..............@...................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017996001\9c5dc2c478.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2893824
                                                                                                                                                                                                                                                                      Entropy (8bit):6.467685485178008
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:wCbHPu0xIK60PjVzm+w2flaokYLK614FcXh5r6rSSW4OWHiHdq2VDaQJvISnxw3x:w8KwPjURY5sSSW4pi9qwDaxSnIiUN
                                                                                                                                                                                                                                                                      MD5:2854309DFD78A64E325E67004B94ADDF
                                                                                                                                                                                                                                                                      SHA1:78CF19390D1511E03139893C33D11BD2B7BE5D99
                                                                                                                                                                                                                                                                      SHA-256:CA61E922A2E723631B64B8D73B4AF5BC968C5BB29EC1073C2060C11B79F7FA8D
                                                                                                                                                                                                                                                                      SHA-512:FDE2202160B9CFE3EB595D6B6A481B2A8122DA0EF9B7208DE741D2449A20B4E0BBE11F9CDB247A95C567CC40426FFFF0741557F636159A468E9167308EFB0DDF
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(.......`O...........@...........................O......y,...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...uqvrrapw..*...$...*..|..............@...blfuhhpc.....PO.......,.............@....taggant.0...`O.."....,.............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017997001\4e48e9ad99.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):970240
                                                                                                                                                                                                                                                                      Entropy (8bit):6.702836450851498
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8aLpAZqZJ:5TvC/MTQYxsWR7aLmZqZ
                                                                                                                                                                                                                                                                      MD5:134E8ED7546996583F248F49C87D99A2
                                                                                                                                                                                                                                                                      SHA1:7998F64C61662137E5ED3F0DBBE88DAC493AD95C
                                                                                                                                                                                                                                                                      SHA-256:99EAD08700A6DB4F3D6FBC4DD6E9435A32E4D0BF168E241C46E34CEF8620CECD
                                                                                                                                                                                                                                                                      SHA-512:CC08EFC2721FD49E971AF55F3ED05114B9D9FE3EE51ECC7EF7ED2F9299A8A46E7FBFEB9CBAF6388079F00098C8B101D73B760FE843A70A8F0A63910DF75E4D0A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....dg..........".................w.............@..........................0......Bx....@...@.......@.....................d...|....@...b.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....b...@...d..................@..@.reloc...u.......v...X..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017998001\ab2f510d23.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2817024
                                                                                                                                                                                                                                                                      Entropy (8bit):6.502583084865015
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:M7ElLg4wLHnisqQk6Oeq/s+RYoL+w3moQsKDURHr9:M7El07EQkdeqFRYCz3moQzDuL9
                                                                                                                                                                                                                                                                      MD5:27D1C23073BBF3BE2092A18AB4CF9818
                                                                                                                                                                                                                                                                      SHA1:CC101A86E9519506179C51B3FE675A52A701C6BE
                                                                                                                                                                                                                                                                      SHA-256:FBE50F1EE3463F3B76126739B438AF49EDD32FCE2B636F57A9741B1689160C8B
                                                                                                                                                                                                                                                                      SHA-512:AE692D5679119EA1E07832A2ABC2ACC3B58E76BF6BAA1CD43CB0AF30EA0AAC684DB9C53B0CE8AFCCAEC5FDFFCBED0254FD4F8D7C20B32C00EB3F53C839FBED5A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@+.. ...`....@.. ........................+.....\.+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...ehjhpitf..*......n*..h..............@...ijjaccto. ... +.......*.............@....taggant.@...@+.."....*.............@...................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\1017999001\daaacc90a2.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1928704
                                                                                                                                                                                                                                                                      Entropy (8bit):7.94324154252622
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:rTMq5MIQ0Tqibh61R5agdp707srnnouWcbxdt+ogki:nMq5M3iwR5agdiSnnoybbt+J
                                                                                                                                                                                                                                                                      MD5:4E341A5E65522DC7AD83BAB52F3E60F8
                                                                                                                                                                                                                                                                      SHA1:D3A1D76710068D38CD35ED908C0677263F5D97E9
                                                                                                                                                                                                                                                                      SHA-256:9AFAD313FDB3A41015EC415280986B4D596B1DC07BCC46B49F5BEE6FCF5FB54C
                                                                                                                                                                                                                                                                      SHA-512:27C41EDDED8E29F87BE28BB93E86AE26129F28A63134235FA38493909BEF08B2559B0DA1BD03C4E2856B7CC6DBD2174650E7E3634F015E9F600F25BAB4A4D3AC
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@.......p............@.........................................................................[.A.o.....@.....................................................\...................................................... . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... .P)...A.....................@...bpztmzrt......j..v..................@...skyqimte.....`.......H..............@....taggant.0...p..."...L..............@...........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\DFAWHTB6ZKNPCDBIS7.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2893824
                                                                                                                                                                                                                                                                      Entropy (8bit):6.467685485178008
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:wCbHPu0xIK60PjVzm+w2flaokYLK614FcXh5r6rSSW4OWHiHdq2VDaQJvISnxw3x:w8KwPjURY5sSSW4pi9qwDaxSnIiUN
                                                                                                                                                                                                                                                                      MD5:2854309DFD78A64E325E67004B94ADDF
                                                                                                                                                                                                                                                                      SHA1:78CF19390D1511E03139893C33D11BD2B7BE5D99
                                                                                                                                                                                                                                                                      SHA-256:CA61E922A2E723631B64B8D73B4AF5BC968C5BB29EC1073C2060C11B79F7FA8D
                                                                                                                                                                                                                                                                      SHA-512:FDE2202160B9CFE3EB595D6B6A481B2A8122DA0EF9B7208DE741D2449A20B4E0BBE11F9CDB247A95C567CC40426FFFF0741557F636159A468E9167308EFB0DDF
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(.......`O...........@...........................O......y,...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...uqvrrapw..*...$...*..|..............@...blfuhhpc.....PO.......,.............@....taggant.0...`O.."....,.............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RIZ8QT1S0BQ20WD7KBBS21.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2893824
                                                                                                                                                                                                                                                                      Entropy (8bit):6.467685485178008
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24576:wCbHPu0xIK60PjVzm+w2flaokYLK614FcXh5r6rSSW4OWHiHdq2VDaQJvISnxw3x:w8KwPjURY5sSSW4pi9qwDaxSnIiUN
                                                                                                                                                                                                                                                                      MD5:2854309DFD78A64E325E67004B94ADDF
                                                                                                                                                                                                                                                                      SHA1:78CF19390D1511E03139893C33D11BD2B7BE5D99
                                                                                                                                                                                                                                                                      SHA-256:CA61E922A2E723631B64B8D73B4AF5BC968C5BB29EC1073C2060C11B79F7FA8D
                                                                                                                                                                                                                                                                      SHA-512:FDE2202160B9CFE3EB595D6B6A481B2A8122DA0EF9B7208DE741D2449A20B4E0BBE11F9CDB247A95C567CC40426FFFF0741557F636159A468E9167308EFB0DDF
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(.......`O...........@...........................O......y,...@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@...uqvrrapw..*...$...*..|..............@...blfuhhpc.....PO.......,.............@....taggant.0...`O.."....,.............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TYUE4E8K2GIAZ6KSY1ZAXK0WL48NIVF.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2817024
                                                                                                                                                                                                                                                                      Entropy (8bit):6.502583084865015
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:M7ElLg4wLHnisqQk6Oeq/s+RYoL+w3moQsKDURHr9:M7El07EQkdeqFRYCz3moQzDuL9
                                                                                                                                                                                                                                                                      MD5:27D1C23073BBF3BE2092A18AB4CF9818
                                                                                                                                                                                                                                                                      SHA1:CC101A86E9519506179C51B3FE675A52A701C6BE
                                                                                                                                                                                                                                                                      SHA-256:FBE50F1EE3463F3B76126739B438AF49EDD32FCE2B636F57A9741B1689160C8B
                                                                                                                                                                                                                                                                      SHA-512:AE692D5679119EA1E07832A2ABC2ACC3B58E76BF6BAA1CD43CB0AF30EA0AAC684DB9C53B0CE8AFCCAEC5FDFFCBED0254FD4F8D7C20B32C00EB3F53C839FBED5A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@+.. ...`....@.. ........................+.....\.+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...ehjhpitf..*......n*..h..............@...ijjaccto. ... +.......*.............@....taggant.@...@+.."....*.............@...................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TmpE6B3.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (1136), with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1136
                                                                                                                                                                                                                                                                      Entropy (8bit):5.884313058724772
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:QmeWUJxBiiAFaUlbJ2Hr1mI+Ic2iFerfnmj6BmKHnsZu:ZeX/ZkXgHr1m52iwrPvQInsZu
                                                                                                                                                                                                                                                                      MD5:A10F31FA140F2608FF150125F3687920
                                                                                                                                                                                                                                                                      SHA1:EC411CC7005AAA8E3775CF105FCD4E1239F8ED4B
                                                                                                                                                                                                                                                                      SHA-256:28C871238311D40287C51DC09AEE6510CAC5306329981777071600B1112286C6
                                                                                                                                                                                                                                                                      SHA-512:CF915FB34CD5ECFBD6B25171D6E0D3D09AF2597EDF29F9F24FA474685D4C5EC9BC742ADE9F29ABAC457DD645EE955B1914A635C90AF77C519D2ADA895E7ECF12
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MIIDUDCCAjigAwIBAgIQImsjBGfFTk6M7sZzNVcAwDANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDExphdXRoLmluc3RhbGxlcnNlcnZpY2VzLmNvbTAeFw0yMzEwMjUyMzEzNDhaFw0yODEwMjUyMzIzNDhaMCUxIzAhBgNVBAMTGmF1dGguaW5zdGFsbGVyc2VydmljZXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwnTHlqfx0MmiBSvhwkjmo2Y53B2ED6kyYgNgsSoX090DwL9g08Q2LnfEEFH+mif1Zv6jztT5QvWXjjroucDJQzZFBz/xbd1zilX80JFxD/8TIiKdmg73eXcrkSTsQUz97HwnpZbQDWbQJh/QxbvRIrJrcU2ADGsC5KBpRVXJ3t9m3TKNrfbAtKpPonso6+6GHvwUNTZUU9UgvDV3qGpDSniqumK3a1U9hphJJBb8us3o3538CM3tJAJ2w/bDGA/MOaTInkspZIQpecv16wkMWuLyHUxAaMDIO0tuIKxeIka0PaTAaZdw6BXofnNqwDD5JloOGm323JAR3pe+hJmSmQIDAQABo3wwejAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUL8Xv6MyxPZ8/T+cj4fEkfSpVzqEwHQYDVR0OBBYEFC/F7+jMsT2fP0/nI+HxJH0qVc6hMA0GCSqGSIb3DQEBCwUAA4IBAQASgm1VIK9vC88LPaCv7qPEd2TUtRrOi/VG2HkcpmBIKGoDeFa41jzKpO25iMg4MQhlXuljIYMDch8YpZETcFvBXHzfCF7Rc+kl/K5tFd8kHGMItiPuwZV/BfvL9Wu4gY4g1skfRpiemP1gZvlc1fZlEoYDqAIzODkRyXOd2nsa7zt8iGTdNujZ8A/IyQzGNeqtmt+bpNvKojkB

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\TmpE6D3.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (1136), with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1136
                                                                                                                                                                                                                                                                      Entropy (8bit):5.884313058724772
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:QmeWUJxBiiAFaUlbJ2Hr1mI+Ic2iFerfnmj6BmKHnsZu:ZeX/ZkXgHr1m52iwrPvQInsZu
                                                                                                                                                                                                                                                                      MD5:A10F31FA140F2608FF150125F3687920
                                                                                                                                                                                                                                                                      SHA1:EC411CC7005AAA8E3775CF105FCD4E1239F8ED4B
                                                                                                                                                                                                                                                                      SHA-256:28C871238311D40287C51DC09AEE6510CAC5306329981777071600B1112286C6
                                                                                                                                                                                                                                                                      SHA-512:CF915FB34CD5ECFBD6B25171D6E0D3D09AF2597EDF29F9F24FA474685D4C5EC9BC742ADE9F29ABAC457DD645EE955B1914A635C90AF77C519D2ADA895E7ECF12
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MIIDUDCCAjigAwIBAgIQImsjBGfFTk6M7sZzNVcAwDANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDExphdXRoLmluc3RhbGxlcnNlcnZpY2VzLmNvbTAeFw0yMzEwMjUyMzEzNDhaFw0yODEwMjUyMzIzNDhaMCUxIzAhBgNVBAMTGmF1dGguaW5zdGFsbGVyc2VydmljZXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwnTHlqfx0MmiBSvhwkjmo2Y53B2ED6kyYgNgsSoX090DwL9g08Q2LnfEEFH+mif1Zv6jztT5QvWXjjroucDJQzZFBz/xbd1zilX80JFxD/8TIiKdmg73eXcrkSTsQUz97HwnpZbQDWbQJh/QxbvRIrJrcU2ADGsC5KBpRVXJ3t9m3TKNrfbAtKpPonso6+6GHvwUNTZUU9UgvDV3qGpDSniqumK3a1U9hphJJBb8us3o3538CM3tJAJ2w/bDGA/MOaTInkspZIQpecv16wkMWuLyHUxAaMDIO0tuIKxeIka0PaTAaZdw6BXofnNqwDD5JloOGm323JAR3pe+hJmSmQIDAQABo3wwejAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUL8Xv6MyxPZ8/T+cj4fEkfSpVzqEwHQYDVR0OBBYEFC/F7+jMsT2fP0/nI+HxJH0qVc6hMA0GCSqGSIb3DQEBCwUAA4IBAQASgm1VIK9vC88LPaCv7qPEd2TUtRrOi/VG2HkcpmBIKGoDeFa41jzKpO25iMg4MQhlXuljIYMDch8YpZETcFvBXHzfCF7Rc+kl/K5tFd8kHGMItiPuwZV/BfvL9Wu4gY4g1skfRpiemP1gZvlc1fZlEoYDqAIzODkRyXOd2nsa7zt8iGTdNujZ8A/IyQzGNeqtmt+bpNvKojkB

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\WHQUF4KURLOTATA7WCHH.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2817024
                                                                                                                                                                                                                                                                      Entropy (8bit):6.502583084865015
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:M7ElLg4wLHnisqQk6Oeq/s+RYoL+w3moQsKDURHr9:M7El07EQkdeqFRYCz3moQzDuL9
                                                                                                                                                                                                                                                                      MD5:27D1C23073BBF3BE2092A18AB4CF9818
                                                                                                                                                                                                                                                                      SHA1:CC101A86E9519506179C51B3FE675A52A701C6BE
                                                                                                                                                                                                                                                                      SHA-256:FBE50F1EE3463F3B76126739B438AF49EDD32FCE2B636F57A9741B1689160C8B
                                                                                                                                                                                                                                                                      SHA-512:AE692D5679119EA1E07832A2ABC2ACC3B58E76BF6BAA1CD43CB0AF30EA0AAC684DB9C53B0CE8AFCCAEC5FDFFCBED0254FD4F8D7C20B32C00EB3F53C839FBED5A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@+.. ...`....@.. ........................+.....\.+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...ehjhpitf..*......n*..h..............@...ijjaccto. ... +.......*.............@....taggant.@...@+.."....*.............@...................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0gywjwa.s22.ps1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqvj11ct.bkh.psm1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ssxj0hle.i10.psm1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxu4z54a.3pj.psm1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xg013ltv.nrh.ps1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmp0zwtr.trj.ps1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zjaj1fu1.dh5.psm1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkjzofzw.cz1.ps1

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):3023360
                                                                                                                                                                                                                                                                      Entropy (8bit):6.553754884227523
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:49152:Zr515k/dk6Cw71eUMEdzK8Epe8C4IYilUBEhfqluQpq+K:5515k1klQ19LdzK8EpHICEc0aK
                                                                                                                                                                                                                                                                      MD5:8C724813B4468960543FCBCB4635F74F
                                                                                                                                                                                                                                                                      SHA1:23693D84C1441A3EDC77686C5A613F747CCFF8A6
                                                                                                                                                                                                                                                                      SHA-256:4CC2D946C5C43426F509193CB5BEE665F59F46C795C4DA045D3B5940D660E6D4
                                                                                                                                                                                                                                                                      SHA-512:C10F32547CD5A5921FA826EB11D437887B13B75ECD6D4A284288E12498E9D5406A779FB2FA2632D38412B6310DC53FCA530E59DC3B80DB76165431B2CF405CFA
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................2......5....@.................................W...k.............................1.............................H.1..................................................... . ............................@....rsrc...............................@....idata ............................@...kfjqblss..+.......+.................@...vivpivkj......1.......-.............@....taggant.0....1.."..................@...........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                                      Size (bytes):26
                                                                                                                                                                                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      File Type:ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                                                      Entropy (8bit):0.4593089050301797
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
                                                                                                                                                                                                                                                                      MD5:D910AD167F0217587501FDCDB33CC544
                                                                                                                                                                                                                                                                      SHA1:2F57441CEFDC781011B53C1C5D29AC54835AFC1D
                                                                                                                                                                                                                                                                      SHA-256:E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
                                                                                                                                                                                                                                                                      SHA-512:F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 22:12:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2677
                                                                                                                                                                                                                                                                      Entropy (8bit):3.979837070882284
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:8oddRsTCmeHuidAKZdA19ehwiZUklqehXy+3:8oWzXoy
                                                                                                                                                                                                                                                                      MD5:B836CCDBDF5B7F72F92E88ED0E4371A4
                                                                                                                                                                                                                                                                      SHA1:81D950244D26592873DBCF9CACF98B416C7EF416
                                                                                                                                                                                                                                                                      SHA-256:9D11E6836E8C9317F62B13F89AD33FAC9355C976E4F9FACCAE48BDEBCD4E5F5C
                                                                                                                                                                                                                                                                      SHA-512:8ABB692E2337E4B2C970A388A2A235DD5BF249D3F9221AE27D4A85998317CCF19BDC04418EEB6D1E0298A4D21732485316847A9B3AE0B063115607B65D670C22
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:L..................F.@.. ...$+.,.....L.ikR..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yz.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........}.X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 22:12:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2679
                                                                                                                                                                                                                                                                      Entropy (8bit):3.9952848369970697
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:8PCddRsTCmeHuidAKZdA1weh/iZUkAQkqehYy+2:8PCWzd9QNy
                                                                                                                                                                                                                                                                      MD5:E1A65AF5119B621DF80944980A4113E7
                                                                                                                                                                                                                                                                      SHA1:443593FEB1650E2E663B0B342CBC1118861FE67C
                                                                                                                                                                                                                                                                      SHA-256:3E4D322B9375AB5A7C22D400C58D34DB964ECDCD57F241B6F88C8003F120AF9E
                                                                                                                                                                                                                                                                      SHA-512:6AE19C678083E07EECAD15BC08DE8431D11C628DF6F68175942575FD4912E2BED8C12C3D80AE82A3F89E94D3C2B27F5E08B7FD03FB5D5B61C7B6B12B5C29DC66
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:L..................F.@.. ...$+.,......yikR..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yz.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........}.X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2693
                                                                                                                                                                                                                                                                      Entropy (8bit):4.009661059299823
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:8xnddRsTCmsHuidAKZdA14tseh7sFiZUkmgqeh7sWy+BX:8xnWznn8y
                                                                                                                                                                                                                                                                      MD5:3C0D3B51B58E864F18FB0B44C9B7B7AB
                                                                                                                                                                                                                                                                      SHA1:81328E1EE38670BE5D0805D805B81B7C3BDB44BB
                                                                                                                                                                                                                                                                      SHA-256:3DA2402F3C2812B7B3F979123B8CF3312239252E4F5B0D5294B715FE4EB88C8F
                                                                                                                                                                                                                                                                      SHA-512:DED662B830ACE9E7FE0168ACA4776C71FF040A7E0BFCEAD164D077D43599FCFFE7422F5ABFC6023672CED5181B9BFF5CAA3EEB26C1A2E0BCBB6072744482AA1C
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yz.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........}.X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 22:12:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2681
                                                                                                                                                                                                                                                                      Entropy (8bit):3.992178127004534
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:8YddRsTCmeHuidAKZdA1vehDiZUkwqehky+R:8YWzeey
                                                                                                                                                                                                                                                                      MD5:89DE3AB8ECFEFEFCCE665B5539D50157
                                                                                                                                                                                                                                                                      SHA1:E23AC24E8286812ED1C9D4CE15EEBAB087DAB2AC
                                                                                                                                                                                                                                                                      SHA-256:A5C95A822C5588AF2C0BD7211DED23BBC50A67522325E15CF5EA491FBD2CE856
                                                                                                                                                                                                                                                                      SHA-512:D030CD9356076C1A818B0F14455818F2BFAB764AE9E85804522476BD8095EC2F95C89C1F51B8E2D86C4C770FB03330421C8F3A31AB98D58F43840601ECAE19D9
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:L..................F.@.. ...$+.,....k.kikR..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yz.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........}.X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 22:12:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2681
                                                                                                                                                                                                                                                                      Entropy (8bit):3.984589425683007
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:8bddRsTCmeHuidAKZdA1hehBiZUk1W1qeh6y+C:8bWzu9ay
                                                                                                                                                                                                                                                                      MD5:7C5285A15D0AC3EDB61331774CA5F0DA
                                                                                                                                                                                                                                                                      SHA1:87B46AFA62365B98905BB4B6CA6C5D2A6D93E621
                                                                                                                                                                                                                                                                      SHA-256:400F900A325B4CB6FA7E28FBF8C2D43247DE2C06AA4DF16DCFCCE5037DC29A7B
                                                                                                                                                                                                                                                                      SHA-512:CE625D2B8BD9F812D201F911F46F6E97FB84B23E00119B47E1FD8C733B3186227FE9E61F033E681D0AE2A68E2DF6603163AECEFA812BA701CA7018E802D7DA00
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:L..................F.@.. ...$+.,.......ikR..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yz.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........}.X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 19 22:12:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2683
                                                                                                                                                                                                                                                                      Entropy (8bit):3.993248146721386
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:8eddRsTCmeHuidAKZdA1duT+ehOuTbbiZUk5OjqehOuTb8y+yT+:8eWzQT/TbxWOvTb8y7T
                                                                                                                                                                                                                                                                      MD5:A5D06B9180C60FD40235E9EE42DBF727
                                                                                                                                                                                                                                                                      SHA1:7C013D15B0C3EB266D0A1539852E6D5C781B8483
                                                                                                                                                                                                                                                                      SHA-256:C01948BBF867CDA678C84CF69B99A68334FDE25CDAD0C33785860C11848C064D
                                                                                                                                                                                                                                                                      SHA-512:84C797DCD59D8314905D7F9368DE2399AD886E3AA1DC0574576048AF934C72487004D0F8E100EC12F6DC9370D7D4A048A75B38C489DF3708212AAEFF620FE444
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:L..................F.@.. ...$+.,.....?[ikR..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Yz.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........}.X......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                                                      Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):5242880
                                                                                                                                                                                                                                                                      Entropy (8bit):0.03859996294213402
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                                                                                                                      MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                                                                                                                      SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                                                                                                                      SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                                                                                                                      SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                                                      Entropy (8bit):0.036363976478960836
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:G+VKjSCEkoVA1XollkVKjSCEkoVA1NXdlL9//dl1ltl:G5EAxojEArXL9X11
                                                                                                                                                                                                                                                                      MD5:480229E07A24CA433675871926C21523
                                                                                                                                                                                                                                                                      SHA1:96E02883A9B21CB84C752A49903A5125887D5B2E
                                                                                                                                                                                                                                                                      SHA-256:989507F643ABD9ACF80A989FEDA693FF9FF45341B173C3AB2F8E6EFA608C67DF
                                                                                                                                                                                                                                                                      SHA-512:7E6418EAC24D164F9440ED2E11AC6EB580AE95258EE856AF3FCB6A581DFA5CF213656EA759DC6B17EB69579F91A9CDD629815AA12FE6257C6C45883BE398543A
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:..-.....................g..!..'a.j..;'jB...pe.....-.....................g..!..'a.j..;'jB...pe...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):32824
                                                                                                                                                                                                                                                                      Entropy (8bit):0.03984870453112046
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:Ol10eCPV8U2NJN4bVhRv/rl8rEXsxdwhml8XW3R2:KGcn+7l8dMhm93w
                                                                                                                                                                                                                                                                      MD5:C04E10851D42F9FA63D79F2790104FD8
                                                                                                                                                                                                                                                                      SHA1:06C48C20E6E01F35DD951D371036C16FAECD5369
                                                                                                                                                                                                                                                                      SHA-256:5CEE171523C3A5C36524EB66BEFFAEC147E3E6739EFBDFAAA3DEFFA8DF5EFBC0
                                                                                                                                                                                                                                                                      SHA-512:FCC45F7C9E334F38295EAD5DB313F7592383092DC9D496EA5DBFDBEDEDE0F288B30A54BC1917B3C9031B78324E0D569A92AC8F4A0FE2A6173E21EB5606310E92
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:7....-...........j..;'jB.Wm...l..........j..;'jB~p......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (1743), with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                                      Size (bytes):11781
                                                                                                                                                                                                                                                                      Entropy (8bit):5.464671942978295
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:192:bnPOeRnLYbBp6XJ0aX+H6SEXK5NVa5RHWNBw8dFSl:bDeWJUascHEwu0
                                                                                                                                                                                                                                                                      MD5:8C560B03B00315C39D2F8EC1C8DC7B84
                                                                                                                                                                                                                                                                      SHA1:F00301815095D868640C9E07434E44DD16BCEAD3
                                                                                                                                                                                                                                                                      SHA-256:350AAF5C2D139F6A2F22550499C84322C117899F64D5E42880DECB5F6A73E3A3
                                                                                                                                                                                                                                                                      SHA-512:2D661984B04AEC0E42302F4ADBEA3370965DBE1730726AEB87AF88F2FE3E885E0CD4971F57AC1AA1C839CC5C0DF341CB7946739D12F94C5D7A9647991BA13BE7
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 1);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1734655977);..user_pref("app.up

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (1743), with CRLF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):11781
                                                                                                                                                                                                                                                                      Entropy (8bit):5.464671942978295
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:192:bnPOeRnLYbBp6XJ0aX+H6SEXK5NVa5RHWNBw8dFSl:bDeWJUascHEwu0
                                                                                                                                                                                                                                                                      MD5:8C560B03B00315C39D2F8EC1C8DC7B84
                                                                                                                                                                                                                                                                      SHA1:F00301815095D868640C9E07434E44DD16BCEAD3
                                                                                                                                                                                                                                                                      SHA-256:350AAF5C2D139F6A2F22550499C84322C117899F64D5E42880DECB5F6A73E3A3
                                                                                                                                                                                                                                                                      SHA-512:2D661984B04AEC0E42302F4ADBEA3370965DBE1730726AEB87AF88F2FE3E885E0CD4971F57AC1AA1C839CC5C0DF341CB7946739D12F94C5D7A9647991BA13BE7
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 1);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1734655977);..user_pref("app.up

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):90
                                                                                                                                                                                                                                                                      Entropy (8bit):4.194538242412464
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
                                                                                                                                                                                                                                                                      MD5:C4AB2EE59CA41B6D6A6EA911F35BDC00
                                                                                                                                                                                                                                                                      SHA1:5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
                                                                                                                                                                                                                                                                      SHA-256:00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
                                                                                                                                                                                                                                                                      SHA-512:71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):90
                                                                                                                                                                                                                                                                      Entropy (8bit):4.194538242412464
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
                                                                                                                                                                                                                                                                      MD5:C4AB2EE59CA41B6D6A6EA911F35BDC00
                                                                                                                                                                                                                                                                      SHA1:5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
                                                                                                                                                                                                                                                                      SHA-256:00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
                                                                                                                                                                                                                                                                      SHA-512:71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

                                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      File Type:SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):4096
                                                                                                                                                                                                                                                                      Entropy (8bit):2.0836444556178684
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
                                                                                                                                                                                                                                                                      MD5:8B40B1534FF0F4B533AF767EB5639A05
                                                                                                                                                                                                                                                                      SHA1:63EDB539EA39AD09D701A36B535C4C087AE08CC9
                                                                                                                                                                                                                                                                      SHA-256:AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
                                                                                                                                                                                                                                                                      SHA-512:54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):55
                                                                                                                                                                                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                                                      C:\Windows\Tasks\skotes.job

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):290
                                                                                                                                                                                                                                                                      Entropy (8bit):3.417034625319804
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:6:dcNqVX55ZsUEZ+lX1CGdKUe6tFXqYEp5t/uy0lHtVut0:RuQ1CGAFifXVHit0
                                                                                                                                                                                                                                                                      MD5:A0D05AA6B9F5CC74B555E8C4AC3815CC
                                                                                                                                                                                                                                                                      SHA1:E2D836B01D93D6E1768E5722AEB6E93D574D37E4
                                                                                                                                                                                                                                                                      SHA-256:DFDEB6F347561B6E6D811EE4D98AFA11B3EDE9F746E5D1F27D3D5FF2C3889CD5
                                                                                                                                                                                                                                                                      SHA-512:71DA91EFFD446A67E83C97C6F6A40FA00DA6B6F20BCA23A247623A9516743554B01B402568312DE3E92EC09B366D7C3A4A43422AE71C1DA7C66E920ECC574130
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:.....O...%.I.1Y/..[.F.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0...................@3P.........................

                                                                                                                                                                                                                                                                      C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):147968
                                                                                                                                                                                                                                                                      Entropy (8bit):6.454649285943866
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:3072:lOBRrLUOPed9xOi756fJnhsRSK2C22/m4ESZo3XRYzXIkQfyXzdEpx:A/rLVPW0nsP2Xy+TJfWzW7
                                                                                                                                                                                                                                                                      MD5:CC36E2A5A3C64941A79C31CA320E9797
                                                                                                                                                                                                                                                                      SHA1:50C8F5DB809CFEC84735C9F4DCD6B55D53DFD9F5
                                                                                                                                                                                                                                                                      SHA-256:6FEC179C363190199C1DCDF822BE4D6B1F5C4895EBC7148A8FC9FA9512EEADE8
                                                                                                                                                                                                                                                                      SHA-512:FCEA6D62DC047E40182DC4FF1E0522CA935F9AEEFDB1517957977BC5D9AC654285A973261401F3B98ABF1F6ED62638B9E31306FD7AAEB67214CA42DFC2888AF0
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....ag.....................`....................@...........................#.............................................(................................p#.........................................\............................................text...x........................... ....rdata...1.......2..................@..@.data....!!..0......................@....00cfg.......`#......*..............@..@.reloc.......p#......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                      C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe
                                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):1058336
                                                                                                                                                                                                                                                                      Entropy (8bit):6.827880169201504
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:12288:qvUGQWpy+Tac0RDffXJjyYpcyoNHSy5viczPESsQ3BaE32VfXJjyYpz:lGQB+2DR7BWYpcyo44u0aPVBWYpz
                                                                                                                                                                                                                                                                      MD5:971B0519B1C0461DB6700610E5E9CA8E
                                                                                                                                                                                                                                                                      SHA1:9A262218310F976AAF837E54B4842E53E73BE088
                                                                                                                                                                                                                                                                      SHA-256:47CF75570C1ECA775B2DD1823233D7C40924D3A8D93E0E78C943219CF391D023
                                                                                                                                                                                                                                                                      SHA-512:D234A9C5A1DA8415CD4D2626797197039F2537E98F8F43D155F815A7867876CBC1BF466BE58677C79A9199EA47D146A174998D21EF0AEBC29A4B0443F8857CB9
                                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w.m..........."...0......(........... ........@.. ....................... ............`.................................K...O....... %.............. r..........p...T............................................ ............... ..H............text........ ...................... ..`.rsrc... %.......&..................@..@.reloc..............................@..B........................H........7................................................................{8...*..{9...*..{:...*..{;...*..{<...*..{=...*..{>...*..{?...*..{@...*..{A...*..{B...*.0..\........(C.....}8.....}9.....}:......};......}<......}=......}>......}?......}@......}A......}B...*.0...........u.......;.....9....(D....{8....{8...oE...9....(F....{9....{9...oG...9....(H....{:....{:...oI...9....(J....{;....{;...oK...9....(L....{<....{<...oM...9....(N....{=....{=...oO...,w(P....{>....{>...oQ...,_(

                                                                                                                                                                                                                                                                      Chrome Cache Entry: 108

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (3915)
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):3920
                                                                                                                                                                                                                                                                      Entropy (8bit):5.83565188276101
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:96:cjliYIN6666VtJc0doo3LBXJ0BfyOhU24n9xDgTtNiR4UCBXfffffo:cZkN6666VtHd13VL9S7igS
                                                                                                                                                                                                                                                                      MD5:5AF9970D99D82772F4B5AFD3A611C344
                                                                                                                                                                                                                                                                      SHA1:AD08125DE54F7EA2682258730BAD4EC181E4CD2E
                                                                                                                                                                                                                                                                      SHA-256:EBE3DD70E3E4413BAD8E90A29354B19F7875599394FC6677C9D70EE66A468B35
                                                                                                                                                                                                                                                                      SHA-512:55B029AE0410F2B7B8021A2EDEE195FA00EB661DE765151D2DD53AED90BDF78B5C76DCC6B987D759657162E262779C402ADE3BEFB8FF5588FBF7C6C5CE5F9BD1
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:)]}'.["",["fred lorenzen nascar","archies festival frenzy bo6","sambuca restaurant closure houston","steam winter sale 2024 games","nasa astronauts stuck in space","stranger things season 5 release date","intercontinental cup real madrid pachuca","ban tp link routers"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"google:entityinfo":"CgkvbS8wOTg1ZGQSIUZyZWQgTG9yZW56ZW4g4oCUIFJhY2UgY2FyIGRyaXZlcjLDEGRhdGE6aW1hZ2UvanBlZztiYXNlNjQsLzlqLzRBQVFTa1pKUmdBQkFRQUFBUUFCQUFELzJ3Q0VBQWtHQndnSEJna0lCd2dLQ2drTERSWVBEUXdNRFJzVUZSQVdJQjBpSWlBZEh4OGtLRFFzSkNZeEp4OGZMVDB0TVRVM09qbzZJeXMvUkQ4NFF6UTVPamNCQ2dvS0RRd05HZzhQR2pjbEh5VTNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTi8vQUFCRUlBRUFBUUFNQklnQUNFUUVERVFIL3hBQWJBQUFDQXdBREFBQUFBQUFBQUFBQUFBQUZCZ01FQndFQ0NQL0VBRGNRQUFFREFnUURCUVlFQndFQUFBQUFBQUVDQXdRRkVRQUdFaUVUTVZGQllYR0JrUlFWSWpLaHNRZENnc0Vq

                                                                                                                                                                                                                                                                      \Device\ConDrv

                                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe
                                                                                                                                                                                                                                                                      File Type:Non-ISO extended-ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                                      Size (bytes):2991
                                                                                                                                                                                                                                                                      Entropy (8bit):5.260656765784018
                                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                                      SSDEEP:48:5vVnS2bzticY+3OtZY+3fbzticB+3OtZB+3mlPwY2SaYP2JcD2SdDPVlxb0xObOr:2op2TmhOPwV5bxqxgxQO+M
                                                                                                                                                                                                                                                                      MD5:0F062C86BDF4E1612E9BBEDC05F621C6
                                                                                                                                                                                                                                                                      SHA1:2945B3AE87634ECD232582EDF7BDB92E6651C716
                                                                                                                                                                                                                                                                      SHA-256:FC3A11C7C780152E2C7AB5B4886DB39E6855547137F5EBFD9C152870BB1F0D93
                                                                                                                                                                                                                                                                      SHA-512:98E9FF00FCC75AB8AC86DFC51CF9A09BF9E09D83797B64DA019C4643D3A5D3C4E8851E2DD27E11E685D9F203EB96AF18B8F61A4FEC091AF198AD8A6F29D7020B
                                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                                                      Preview:Ordner erstellt: C:\iatnfvyzl..Willkommen beim Textanalyseprogramm!..Geben Sie Text f.r die Analyse ein (2 Sekunden Zeit):...Die Zeit ist abgelaufen! Die Eingabe wurde nicht abgeschlossen...Generiere einen zuf.lligen Satz.....Generierter Satz: Hund Stuhl Tisch Blume..Anzahl der W.rter: 4..Fehler beim Hinzuf.gen des Ausschlusses: Add-MpPreference : Operation failed with the following error: 0x800106ba. Operation: MpPreference. Target: ..ConfigListExtension...At line:1 char:1..+ Add-MpPreference -ExclusionPath C:\iatnfvyzl..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference.. ..Add-MpPreference : Operation failed with the following error: 0x%1!x!..At line:1 char:1..+ Add-MpPreference -ExclusionPath C:\iatnfvyzl..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : N

                                                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                      Entropy (8bit):6.553754884227523
                                                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                      File name:file.exe
                                                                                                                                                                                                                                                                      File size:3'023'360 bytes
                                                                                                                                                                                                                                                                      MD5:8c724813b4468960543fcbcb4635f74f
                                                                                                                                                                                                                                                                      SHA1:23693d84c1441a3edc77686c5a613f747ccff8a6
                                                                                                                                                                                                                                                                      SHA256:4cc2d946c5c43426f509193cb5bee665f59f46c795c4da045d3b5940d660e6d4
                                                                                                                                                                                                                                                                      SHA512:c10f32547cd5a5921fa826eb11d437887b13b75ecd6d4a284288e12498e9d5406a779fb2fa2632d38412b6310dc53fca530e59dc3b80db76165431b2cf405cfa
                                                                                                                                                                                                                                                                      SSDEEP:49152:Zr515k/dk6Cw71eUMEdzK8Epe8C4IYilUBEhfqluQpq+K:5515k1klQ19LdzK8EpHICEc0aK
                                                                                                                                                                                                                                                                      TLSH:40E55B53B50A72CFC08E1778893FCE425D5E87B9072118D7A86DA4BABE73CC215B6D24
                                                                                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................

                                                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                                                      Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Entrypoint:0x71d000
                                                                                                                                                                                                                                                                      Entrypoint Section:.taggant
                                                                                                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                      Time Stamp:0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
                                                                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                                                                                                      File Version Major:6
                                                                                                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                                                                                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                                                                      jmp 00007F70846E5F2Ah
                                                                                                                                                                                                                                                                      verw word ptr [esi]
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add cl, ch
                                                                                                                                                                                                                                                                      add byte ptr [eax], ah
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [ebx], cl
                                                                                                                                                                                                                                                                      or al, byte ptr [eax]
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax+1Eh], ah
                                                                                                                                                                                                                                                                      adc dword ptr [eax], edx
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      push es
                                                                                                                                                                                                                                                                      add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      adc byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      or ecx, dword ptr [edx]
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      xor byte ptr [esi], bl
                                                                                                                                                                                                                                                                      adc dword ptr [eax], edx
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      wait
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [ecx], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      adc byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      or ecx, dword ptr [edx]
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      and byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      or ecx, dword ptr [edx]
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      push es
                                                                                                                                                                                                                                                                      add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      adc byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      or ecx, dword ptr [edx]
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      xor byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                                                      add dword ptr [eax+00000000h], eax
                                                                                                                                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0570x6b.idata
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x5d4.rsrc
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x31b1980x10kfjqblss
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x31b1480x18kfjqblss
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                      0x10000x680000x2de0058e4d40286efe69d7aee2e933d1ab4d6False0.9983129683242506data7.985538983935103IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                      .rsrc0x690000x5d40x4000351588ff312fd8e04743630fad5ef17False0.71484375data5.82962806421812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                      .idata 0x6a0000x10000x200cc76e3822efdc911f469a3e3cc9ce9feFalse0.1484375data1.0428145631430756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                      kfjqblss0x6b0000x2b10000x2b0800d540b1eb0234a24e91bb49adc9421cdcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                      vivpivkj0x31c0000x10000x40042d1f2624493c8b08d5f52c30427a395False0.8056640625data6.2532936761395534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                      .taggant0x31d0000x30000x2200effbb8f0f503059fd19fa41fea8de9feFalse0.052964154411764705Applesoft BASIC program data, first line number 150.9089317775406961IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                                                                      Resources

                                                                                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                      RT_MANIFEST0x31b1a80x3e4XML 1.0 document, ASCII text0.48092369477911645
                                                                                                                                                                                                                                                                      RT_MANIFEST0x31b58c0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                                                                      kernel32.dlllstrcpy

                                                                                                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                                                      Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                                                      Start time:18:10:13
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                                                                                                                                      Imagebase:0xe10000
                                                                                                                                                                                                                                                                      File size:3'023'360 bytes
                                                                                                                                                                                                                                                                      MD5 hash:8C724813B4468960543FCBCB4635F74F
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2160698202.0000000004780000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                                                                                                      Start time:18:10:16
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x190000
                                                                                                                                                                                                                                                                      File size:3'023'360 bytes
                                                                                                                                                                                                                                                                      MD5 hash:8C724813B4468960543FCBCB4635F74F
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2202358687.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                                      • Detection: 50%, ReversingLabs
                                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                                                                      Start time:18:10:16
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      Imagebase:0x190000
                                                                                                                                                                                                                                                                      File size:3'023'360 bytes
                                                                                                                                                                                                                                                                      MD5 hash:8C724813B4468960543FCBCB4635F74F
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.2200230498.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                                                                                      Start time:18:11:00
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                                                                                                                                                                      Imagebase:0x190000
                                                                                                                                                                                                                                                                      File size:3'023'360 bytes
                                                                                                                                                                                                                                                                      MD5 hash:8C724813B4468960543FCBCB4635F74F
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.2630147663.00000000052D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                                                                                                      Start time:18:11:12
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe"
                                                                                                                                                                                                                                                                      Imagebase:0xdb0000
                                                                                                                                                                                                                                                                      File size:776'832 bytes
                                                                                                                                                                                                                                                                      MD5 hash:AFD936E441BF5CBDB858E96833CC6ED3
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                                      • Detection: 68%, ReversingLabs
                                                                                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:8
                                                                                                                                                                                                                                                                      Start time:18:11:12
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                                                                                                      Start time:18:11:15
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017975001\a2236cc5aa.exe"
                                                                                                                                                                                                                                                                      Imagebase:0xdb0000
                                                                                                                                                                                                                                                                      File size:776'832 bytes
                                                                                                                                                                                                                                                                      MD5 hash:AFD936E441BF5CBDB858E96833CC6ED3
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.3006312115.0000000001288000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                                                                                                      Start time:18:11:20
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017977001\e565baa4b6.exe"
                                                                                                                                                                                                                                                                      Imagebase:0xdc0000
                                                                                                                                                                                                                                                                      File size:1'885'696 bytes
                                                                                                                                                                                                                                                                      MD5 hash:25FB9C54265BBACC7A055174479F0B70
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                                      • Detection: 75%, ReversingLabs
                                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:11
                                                                                                                                                                                                                                                                      Start time:18:11:25
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017978001\3494904393.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x530000
                                                                                                                                                                                                                                                                      File size:22'016 bytes
                                                                                                                                                                                                                                                                      MD5 hash:04F57C6FB2B2CD8DCC4B38E4A93D4366
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3062210997.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3062210997.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                                      • Detection: 18%, ReversingLabs
                                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:12
                                                                                                                                                                                                                                                                      Start time:18:11:25
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:13
                                                                                                                                                                                                                                                                      Start time:18:11:28
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"powershell.exe" Add-MpPreference -ExclusionPath "C:\iatnfvyzl"
                                                                                                                                                                                                                                                                      Imagebase:0xb90000
                                                                                                                                                                                                                                                                      File size:433'152 bytes
                                                                                                                                                                                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:14
                                                                                                                                                                                                                                                                      Start time:18:11:28
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                                                                                      Start time:18:11:31
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                                                                                                                                                                                                                                                                      Imagebase:0xb90000
                                                                                                                                                                                                                                                                      File size:433'152 bytes
                                                                                                                                                                                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:17
                                                                                                                                                                                                                                                                      Start time:18:11:31
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:18
                                                                                                                                                                                                                                                                      Start time:18:11:33
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe"
                                                                                                                                                                                                                                                                      Imagebase:0xb70000
                                                                                                                                                                                                                                                                      File size:1'800'704 bytes
                                                                                                                                                                                                                                                                      MD5 hash:3647AF905F92B479113300608444F101
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:19
                                                                                                                                                                                                                                                                      Start time:18:11:43
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                                                      File size:147'968 bytes
                                                                                                                                                                                                                                                                      MD5 hash:CC36E2A5A3C64941A79C31CA320E9797
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\iatnfvyzl\63506cf0a7384158900a9c4410789dbd.exe, Author: Joe Security
                                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                                      • Detection: 47%, ReversingLabs
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:20
                                                                                                                                                                                                                                                                      Start time:18:11:43
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\iatnfvyzl\9c439e52050a49e0875bf199b254f370.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x18167330000
                                                                                                                                                                                                                                                                      File size:1'058'336 bytes
                                                                                                                                                                                                                                                                      MD5 hash:971B0519B1C0461DB6700610E5E9CA8E
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:21
                                                                                                                                                                                                                                                                      Start time:18:11:43
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x7d0000
                                                                                                                                                                                                                                                                      File size:2'893'824 bytes
                                                                                                                                                                                                                                                                      MD5 hash:2854309DFD78A64E325E67004B94ADDF
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000015.00000003.3086871686.0000000005210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:22
                                                                                                                                                                                                                                                                      Start time:18:11:44
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                                      Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:23
                                                                                                                                                                                                                                                                      Start time:18:11:47
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe"
                                                                                                                                                                                                                                                                      Imagebase:0xb70000
                                                                                                                                                                                                                                                                      File size:1'800'704 bytes
                                                                                                                                                                                                                                                                      MD5 hash:3647AF905F92B479113300608444F101
                                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3258078775.000000000169B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3275631067.000000000169B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3258078775.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3275631067.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3335757490.000000000169B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3334478529.000000000169B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:27
                                                                                                                                                                                                                                                                      Start time:18:11:51
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x350000
                                                                                                                                                                                                                                                                      File size:970'240 bytes
                                                                                                                                                                                                                                                                      MD5 hash:134E8ED7546996583F248F49C87D99A2
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:28
                                                                                                                                                                                                                                                                      Start time:18:11:54
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:taskkill /F /IM firefox.exe /T
                                                                                                                                                                                                                                                                      Imagebase:0x20000
                                                                                                                                                                                                                                                                      File size:74'240 bytes
                                                                                                                                                                                                                                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:29
                                                                                                                                                                                                                                                                      Start time:18:11:54
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:30
                                                                                                                                                                                                                                                                      Start time:18:11:56
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017979001\128703c003.exe"
                                                                                                                                                                                                                                                                      Imagebase:0xb70000
                                                                                                                                                                                                                                                                      File size:1'800'704 bytes
                                                                                                                                                                                                                                                                      MD5 hash:3647AF905F92B479113300608444F101
                                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3500289993.0000000001354000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3503373239.0000000001355000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3501962670.0000000001354000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:31
                                                                                                                                                                                                                                                                      Start time:18:11:56
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:taskkill /F /IM chrome.exe /T
                                                                                                                                                                                                                                                                      Imagebase:0x20000
                                                                                                                                                                                                                                                                      File size:74'240 bytes
                                                                                                                                                                                                                                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:32
                                                                                                                                                                                                                                                                      Start time:18:11:56
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:33
                                                                                                                                                                                                                                                                      Start time:18:11:56
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:taskkill /F /IM msedge.exe /T
                                                                                                                                                                                                                                                                      Imagebase:0x20000
                                                                                                                                                                                                                                                                      File size:74'240 bytes
                                                                                                                                                                                                                                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:34
                                                                                                                                                                                                                                                                      Start time:18:11:56
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:35
                                                                                                                                                                                                                                                                      Start time:18:11:57
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:taskkill /F /IM opera.exe /T
                                                                                                                                                                                                                                                                      Imagebase:0x20000
                                                                                                                                                                                                                                                                      File size:74'240 bytes
                                                                                                                                                                                                                                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:36
                                                                                                                                                                                                                                                                      Start time:18:11:57
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:37
                                                                                                                                                                                                                                                                      Start time:18:11:58
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:taskkill /F /IM brave.exe /T
                                                                                                                                                                                                                                                                      Imagebase:0x20000
                                                                                                                                                                                                                                                                      File size:74'240 bytes
                                                                                                                                                                                                                                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:38
                                                                                                                                                                                                                                                                      Start time:18:11:58
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:39
                                                                                                                                                                                                                                                                      Start time:18:11:58
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                                                                                                                                                                                                                                                      Imagebase:0x7ff715980000
                                                                                                                                                                                                                                                                      File size:3'242'272 bytes
                                                                                                                                                                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:40
                                                                                                                                                                                                                                                                      Start time:18:11:58
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                                                                                                                                                                                                                                                      Imagebase:0x7ff79f9e0000
                                                                                                                                                                                                                                                                      File size:676'768 bytes
                                                                                                                                                                                                                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:41
                                                                                                                                                                                                                                                                      Start time:18:11:58
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
                                                                                                                                                                                                                                                                      Imagebase:0x7ff79f9e0000
                                                                                                                                                                                                                                                                      File size:676'768 bytes
                                                                                                                                                                                                                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:42
                                                                                                                                                                                                                                                                      Start time:18:11:59
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 --field-trial-handle=2108,i,8456486069817355234,11844497876439490650,262144 /prefetch:8
                                                                                                                                                                                                                                                                      Imagebase:0x7ff715980000
                                                                                                                                                                                                                                                                      File size:3'242'272 bytes
                                                                                                                                                                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:43
                                                                                                                                                                                                                                                                      Start time:18:11:59
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                                                                                                                                                                                                                                      Imagebase:0x7ff79f9e0000
                                                                                                                                                                                                                                                                      File size:676'768 bytes
                                                                                                                                                                                                                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:44
                                                                                                                                                                                                                                                                      Start time:18:12:01
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3116d80-26e5-4678-b47c-6e372794e0eb} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 2800d16fd10 socket
                                                                                                                                                                                                                                                                      Imagebase:0x7ff79f9e0000
                                                                                                                                                                                                                                                                      File size:676'768 bytes
                                                                                                                                                                                                                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:45
                                                                                                                                                                                                                                                                      Start time:18:12:01
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x9b0000
                                                                                                                                                                                                                                                                      File size:2'817'024 bytes
                                                                                                                                                                                                                                                                      MD5 hash:27D1C23073BBF3BE2092A18AB4CF9818
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:46
                                                                                                                                                                                                                                                                      Start time:18:12:03
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                                                                                                                                                                                                                                                      Imagebase:0x7ff715980000
                                                                                                                                                                                                                                                                      File size:3'242'272 bytes
                                                                                                                                                                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:47
                                                                                                                                                                                                                                                                      Start time:18:12:04
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2244,i,11399492537237456067,12274902701966245916,262144 /prefetch:8
                                                                                                                                                                                                                                                                      Imagebase:0x7ff715980000
                                                                                                                                                                                                                                                                      File size:3'242'272 bytes
                                                                                                                                                                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:48
                                                                                                                                                                                                                                                                      Start time:18:12:04
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017980001\8a13e339a3.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x7d0000
                                                                                                                                                                                                                                                                      File size:2'893'824 bytes
                                                                                                                                                                                                                                                                      MD5 hash:2854309DFD78A64E325E67004B94ADDF
                                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000030.00000003.3288737853.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:49
                                                                                                                                                                                                                                                                      Start time:18:12:06
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -parentBuildID 20230927232528 -prefsHandle 4300 -prefMapHandle 4304 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {822619a6-5657-47d3-80bf-2521004ff1f0} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" 28020772b10 rdd
                                                                                                                                                                                                                                                                      Imagebase:0x7ff79f9e0000
                                                                                                                                                                                                                                                                      File size:676'768 bytes
                                                                                                                                                                                                                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                      Has elevated privileges:
                                                                                                                                                                                                                                                                      Has administrator privileges:
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:50
                                                                                                                                                                                                                                                                      Start time:18:12:12
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017981001\7ccdd68f3b.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x350000
                                                                                                                                                                                                                                                                      File size:970'240 bytes
                                                                                                                                                                                                                                                                      MD5 hash:134E8ED7546996583F248F49C87D99A2
                                                                                                                                                                                                                                                                      Has elevated privileges:
                                                                                                                                                                                                                                                                      Has administrator privileges:
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:51
                                                                                                                                                                                                                                                                      Start time:18:12:13
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                                                                                                                                                                                                                                                      Imagebase:0x7ff715980000
                                                                                                                                                                                                                                                                      File size:3'242'272 bytes
                                                                                                                                                                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                                                      Has elevated privileges:
                                                                                                                                                                                                                                                                      Has administrator privileges:
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:52
                                                                                                                                                                                                                                                                      Start time:18:12:13
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 --field-trial-handle=2228,i,13984323130618621561,12790505923431820552,262144 /prefetch:8
                                                                                                                                                                                                                                                                      Imagebase:0x7ff715980000
                                                                                                                                                                                                                                                                      File size:3'242'272 bytes
                                                                                                                                                                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                                                      Has elevated privileges:
                                                                                                                                                                                                                                                                      Has administrator privileges:
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:53
                                                                                                                                                                                                                                                                      Start time:18:12:18
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017984001\ebfedd813b.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x950000
                                                                                                                                                                                                                                                                      File size:1'114'112 bytes
                                                                                                                                                                                                                                                                      MD5 hash:EF08A45833A7D881C90DED1952F96CB4
                                                                                                                                                                                                                                                                      Has elevated privileges:
                                                                                                                                                                                                                                                                      Has administrator privileges:
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                                      • Detection: 67%, ReversingLabs
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:54
                                                                                                                                                                                                                                                                      Start time:18:12:21
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\1017982001\2fc1eb1411.exe"
                                                                                                                                                                                                                                                                      Imagebase:0x9b0000
                                                                                                                                                                                                                                                                      File size:2'817'024 bytes
                                                                                                                                                                                                                                                                      MD5 hash:27D1C23073BBF3BE2092A18AB4CF9818
                                                                                                                                                                                                                                                                      Has elevated privileges:
                                                                                                                                                                                                                                                                      Has administrator privileges:
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:55
                                                                                                                                                                                                                                                                      Start time:18:12:22
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                                                                                                                                                                                                                                                      Imagebase:0x7ff715980000
                                                                                                                                                                                                                                                                      File size:3'242'272 bytes
                                                                                                                                                                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                                                      Has elevated privileges:
                                                                                                                                                                                                                                                                      Has administrator privileges:
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:56
                                                                                                                                                                                                                                                                      Start time:18:12:23
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                                      Commandline:taskkill /F /IM firefox.exe /T
                                                                                                                                                                                                                                                                      Imagebase:0x2a0000
                                                                                                                                                                                                                                                                      File size:74'240 bytes
                                                                                                                                                                                                                                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                      Has elevated privileges:
                                                                                                                                                                                                                                                                      Has administrator privileges:
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:57
                                                                                                                                                                                                                                                                      Start time:18:12:23
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2644 --field-trial-handle=2268,i,11916466110525037174,8440217537469921044,262144 /prefetch:8
                                                                                                                                                                                                                                                                      Imagebase:0x7ff715980000
                                                                                                                                                                                                                                                                      File size:3'242'272 bytes
                                                                                                                                                                                                                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                                                      Has elevated privileges:
                                                                                                                                                                                                                                                                      Has administrator privileges:
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:58
                                                                                                                                                                                                                                                                      Start time:18:12:23
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                      Has elevated privileges:
                                                                                                                                                                                                                                                                      Has administrator privileges:
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                                      Target ID:59
                                                                                                                                                                                                                                                                      Start time:18:12:24
                                                                                                                                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
                                                                                                                                                                                                                                                                      Imagebase:0x7ff6c1cf0000
                                                                                                                                                                                                                                                                      File size:4'210'216 bytes
                                                                                                                                                                                                                                                                      MD5 hash:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                                                                                                                      Has elevated privileges:
                                                                                                                                                                                                                                                                      Has administrator privileges:
                                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                                        Execution Coverage:3.3%
                                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                        Signature Coverage:2.8%
                                                                                                                                                                                                                                                                        Total number of Nodes:750
                                                                                                                                                                                                                                                                        Total number of Limit Nodes:24
                                                                                                                                                                                                                                                                        execution_graph 12430 e1b1a0 12431 e1b1f2 12430->12431 12432 e1b3ad CoInitialize 12431->12432 12433 e1b3fa shared_ptr std::future_error::future_error 12432->12433 12762 e120a0 12763 e2c68b __Mtx_init_in_situ 2 API calls 12762->12763 12764 e120ac 12763->12764 12928 e14120 12929 e1416a 12928->12929 12931 e141b2 std::future_error::future_error 12929->12931 12932 e13ee0 12929->12932 12933 e13f48 12932->12933 12934 e13f1e 12932->12934 12935 e13f58 12933->12935 12938 e12c00 12933->12938 12934->12931 12935->12931 12939 e12c0e 12938->12939 12945 e2b847 12939->12945 12941 e12c42 12942 e12c49 12941->12942 12951 e12c80 12941->12951 12942->12931 12944 e12c58 Concurrency::cancel_current_task 12946 e2b854 12945->12946 12950 e2b873 Concurrency::details::_Reschedule_chore 12945->12950 12954 e2cb77 12946->12954 12948 e2b864 12948->12950 12956 e2b81e 12948->12956 12950->12941 12962 e2b7fb 12951->12962 12953 e12cb2 shared_ptr 12953->12944 12955 e2cb92 CreateThreadpoolWork 12954->12955 12955->12948 12958 e2b827 Concurrency::details::_Reschedule_chore 12956->12958 12960 e2cdcc 12958->12960 12959 e2b841 12959->12950 12961 e2cde1 TpPostWork 12960->12961 12961->12959 12963 e2b807 12962->12963 12964 e2b817 12962->12964 12963->12964 12966 e2ca78 12963->12966 12964->12953 12967 e2ca8d TpReleaseWork 12966->12967 12967->12964 13050 e13fe0 13051 e14022 13050->13051 13052 e140d2 13051->13052 13053 e1408c 13051->13053 13056 e14035 std::future_error::future_error 13051->13056 13054 e13ee0 3 API calls 13052->13054 13057 e135e0 13053->13057 13054->13056 13058 e13616 13057->13058 13062 e1364e Concurrency::cancel_current_task shared_ptr std::future_error::future_error 13058->13062 13063 e12ce0 13058->13063 13060 e1369e 13061 e12c00 3 API calls 13060->13061 13060->13062 13061->13062 13062->13056 13064 e12d1d 13063->13064 13065 e2bedf InitOnceExecuteOnce 13064->13065 13066 e12d46 13065->13066 13067 e12d88 13066->13067 13069 e12d51 std::future_error::future_error 13066->13069 13072 e2bef7 13066->13072 13070 e12440 4 API calls 13067->13070 13069->13060 13071 e12d9b 13070->13071 13071->13060 13073 e2bf03 Concurrency::cancel_current_task 13072->13073 13074 e2bf73 13073->13074 13075 e2bf6a 13073->13075 13077 e12ae0 5 API calls 13074->13077 13079 e2be7f 13075->13079 13078 e2bf6f 13077->13078 13078->13067 13080 e2cc31 InitOnceExecuteOnce 13079->13080 13081 e2be97 13080->13081 13082 e2be9e 13081->13082 13083 e46cbb 4 API calls 13081->13083 13082->13078 13084 e2bea7 13083->13084 13084->13078 13262 e1af20 13263 e1af63 13262->13263 13274 e46660 13263->13274 13268 e4663f 4 API calls 13269 e1af80 13268->13269 13270 e4663f 4 API calls 13269->13270 13271 e1af98 __cftof 13270->13271 13280 e155f0 13271->13280 13273 e1b04e shared_ptr std::future_error::future_error 13275 e4a671 __fassign 4 API calls 13274->13275 13276 e1af69 13275->13276 13277 e4663f 13276->13277 13278 e4a671 __fassign 4 API calls 13277->13278 13279 e1af71 13278->13279 13279->13268 13281 e15610 13280->13281 13281->13281 13283 e15710 std::future_error::future_error 13281->13283 13284 e122c0 13281->13284 13283->13273 13287 e12280 13284->13287 13288 e12296 13287->13288 13291 e487f8 13288->13291 13294 e47609 13291->13294 13293 e122a4 13293->13281 13295 e47649 13294->13295 13298 e47631 ___std_exception_copy std::future_error::future_error 13294->13298 13296 e4690a __fassign 4 API calls 13295->13296 13295->13298 13297 e47661 13296->13297 13300 e47bc4 13297->13300 13298->13293 13302 e47bd5 13300->13302 13301 e47be4 ___std_exception_copy 13301->13298 13302->13301 13307 e48168 13302->13307 13312 e47dc2 13302->13312 13317 e47de8 13302->13317 13327 e47f36 13302->13327 13308 e48171 13307->13308 13309 e48178 13307->13309 13336 e47b50 13308->13336 13309->13302 13311 e48177 13311->13302 13313 e47dd2 13312->13313 13314 e47dcb 13312->13314 13313->13302 13315 e47b50 4 API calls 13314->13315 13316 e47dd1 13315->13316 13316->13302 13319 e47e09 ___std_exception_copy 13317->13319 13320 e47def 13317->13320 13318 e47f69 13325 e47f77 13318->13325 13326 e47f8b 13318->13326 13344 e48241 13318->13344 13319->13302 13320->13318 13320->13319 13322 e47fa2 13320->13322 13320->13325 13322->13326 13340 e48390 13322->13340 13325->13326 13348 e486ea 13325->13348 13326->13302 13328 e47f69 13327->13328 13329 e47f4f 13327->13329 13331 e48241 4 API calls 13328->13331 13333 e47f77 13328->13333 13335 e47f8b 13328->13335 13329->13328 13330 e47fa2 13329->13330 13329->13333 13332 e48390 4 API calls 13330->13332 13330->13335 13331->13333 13332->13333 13334 e486ea 4 API calls 13333->13334 13333->13335 13334->13335 13335->13302 13337 e47b62 13336->13337 13338 e48ab6 4 API calls 13337->13338 13339 e47b85 13338->13339 13339->13311 13341 e483ab 13340->13341 13342 e483dd 13341->13342 13352 e4c88e 13341->13352 13342->13325 13345 e4825a 13344->13345 13359 e4d3c8 13345->13359 13347 e4830d 13347->13325 13347->13347 13350 e4875d std::future_error::future_error 13348->13350 13351 e48707 13348->13351 13349 e4c88e __cftof 4 API calls 13349->13351 13350->13326 13351->13349 13351->13350 13355 e4c733 13352->13355 13354 e4c8a6 13354->13342 13356 e4c743 13355->13356 13357 e4690a __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 13356->13357 13358 e4c748 __cftof ___std_exception_copy 13356->13358 13357->13358 13358->13354 13361 e4d3ee 13359->13361 13371 e4d3d8 ___std_exception_copy 13359->13371 13360 e4d485 13364 e4d4e4 13360->13364 13365 e4d4ae 13360->13365 13361->13360 13362 e4d48a 13361->13362 13361->13371 13372 e4cbdf 13362->13372 13389 e4cef8 13364->13389 13366 e4d4b3 13365->13366 13367 e4d4cc 13365->13367 13378 e4d23e 13366->13378 13385 e4d0e2 13367->13385 13371->13347 13373 e4cbf1 13372->13373 13374 e4690a __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 13373->13374 13375 e4cc05 13374->13375 13376 e4cef8 GetPEB ExitProcess GetPEB RtlAllocateHeap 13375->13376 13377 e4cc0d __alldvrm __cftof ___std_exception_copy _strrchr 13375->13377 13376->13377 13377->13371 13380 e4d26c 13378->13380 13379 e4d2a5 13379->13371 13380->13379 13381 e4d2de 13380->13381 13382 e4d2b7 13380->13382 13383 e4cf9a GetPEB ExitProcess GetPEB RtlAllocateHeap 13381->13383 13384 e4d16d GetPEB ExitProcess GetPEB RtlAllocateHeap 13382->13384 13383->13379 13384->13379 13386 e4d10f 13385->13386 13387 e4d14e 13386->13387 13388 e4d16d GetPEB ExitProcess GetPEB RtlAllocateHeap 13386->13388 13387->13371 13388->13387 13390 e4cf10 13389->13390 13391 e4cf75 13390->13391 13392 e4cf9a GetPEB ExitProcess GetPEB RtlAllocateHeap 13390->13392 13391->13371 13392->13391 13168 e19ba5 13169 e19ba7 13168->13169 13170 e15c10 6 API calls 13169->13170 13171 e19cb1 13170->13171 13172 e18b30 6 API calls 13171->13172 13173 e19cc2 13172->13173 12679 e46629 12680 e464c7 __fassign 3 API calls 12679->12680 12681 e4663a 12680->12681 12910 e12170 12913 e2c6fc 12910->12913 12912 e1217a 12914 e2c724 12913->12914 12915 e2c70c 12913->12915 12914->12912 12915->12914 12917 e2cfbe 12915->12917 12918 e2ccd5 __Mtx_init_in_situ InitializeCriticalSectionEx 12917->12918 12919 e2cfd0 12918->12919 12919->12915 12968 e18d30 12969 e18d80 12968->12969 12970 e15c10 6 API calls 12969->12970 12971 e18d9a shared_ptr std::future_error::future_error 12970->12971 13001 e142b0 13004 e13ac0 13001->13004 13003 e142bb shared_ptr 13005 e13af9 13004->13005 13006 e132d0 6 API calls 13005->13006 13008 e13c38 13005->13008 13009 e13b39 __Cnd_destroy_in_situ shared_ptr __Mtx_destroy_in_situ 13005->13009 13006->13008 13007 e132d0 6 API calls 13011 e13c5f 13007->13011 13008->13007 13008->13011 13009->13003 13010 e13c68 13010->13003 13011->13010 13012 e13810 4 API calls 13011->13012 13013 e13cdb 13012->13013 13174 e177b0 13175 e177f1 shared_ptr 13174->13175 13176 e15c10 6 API calls 13175->13176 13177 e17883 shared_ptr 13175->13177 13176->13177 13178 e15c10 6 API calls 13177->13178 13180 e17953 shared_ptr std::future_error::future_error 13177->13180 13179 e179e3 13178->13179 13181 e15c10 6 API calls 13179->13181 13182 e17a15 shared_ptr 13181->13182 13183 e15c10 6 API calls 13182->13183 13188 e17aa5 shared_ptr std::future_error::future_error 13182->13188 13184 e17b7d 13183->13184 13185 e15c10 6 API calls 13184->13185 13186 e17ba0 13185->13186 13187 e15c10 6 API calls 13186->13187 13187->13188 13189 e187b0 13190 e187b6 13189->13190 13191 e187b8 GetFileAttributesA 13189->13191 13190->13191 13192 e187c4 13191->13192 13193 e247b0 13195 e24eed 13193->13195 13194 e24f59 shared_ptr std::future_error::future_error 13195->13194 13196 e17d30 7 API calls 13195->13196 13197 e250ed 13196->13197 13232 e18380 13197->13232 13199 e25106 13200 e15c10 6 API calls 13199->13200 13201 e25155 13200->13201 13202 e15c10 6 API calls 13201->13202 13203 e25171 13202->13203 13238 e19a00 13203->13238 13233 e183e5 __cftof 13232->13233 13234 e15c10 6 API calls 13233->13234 13237 e18403 shared_ptr std::future_error::future_error 13233->13237 13235 e18427 13234->13235 13236 e15c10 6 API calls 13235->13236 13236->13237 13237->13199 13239 e19a3f 13238->13239 13240 e15c10 6 API calls 13239->13240 13241 e19a47 13240->13241 13242 e18b30 6 API calls 13241->13242 13243 e19a58 13242->13243 12573 e187b2 12574 e187b6 12573->12574 12575 e187b8 GetFileAttributesA 12573->12575 12574->12575 12576 e187c4 12575->12576 12876 e1a9f4 12887 e19230 12876->12887 12878 e1aa03 shared_ptr 12879 e15c10 6 API calls 12878->12879 12885 e1aab3 shared_ptr 12878->12885 12880 e1aa65 12879->12880 12881 e15c10 6 API calls 12880->12881 12882 e1aa8d 12881->12882 12883 e15c10 6 API calls 12882->12883 12883->12885 12886 e1ad3c shared_ptr std::future_error::future_error 12885->12886 12897 e48ab6 12885->12897 12890 e19284 shared_ptr 12887->12890 12888 e15c10 6 API calls 12888->12890 12889 e19543 shared_ptr std::future_error::future_error 12889->12878 12890->12888 12895 e1944f shared_ptr 12890->12895 12891 e15c10 6 API calls 12891->12895 12892 e198b5 shared_ptr std::future_error::future_error 12892->12878 12893 e1979f shared_ptr 12893->12892 12894 e15c10 6 API calls 12893->12894 12896 e19927 shared_ptr std::future_error::future_error 12894->12896 12895->12889 12895->12891 12895->12893 12896->12878 12898 e48ad1 12897->12898 12899 e48868 4 API calls 12898->12899 12900 e48adb 12899->12900 12900->12885 13035 e14276 13036 e12410 5 API calls 13035->13036 13037 e1427f 13036->13037 13018 e19ab8 13020 e19acc 13018->13020 13021 e19b08 13020->13021 13022 e15c10 6 API calls 13021->13022 13023 e19b7c 13022->13023 13024 e18b30 6 API calls 13023->13024 13025 e19b8d 13024->13025 13026 e15c10 6 API calls 13025->13026 13027 e19cb1 13026->13027 13028 e18b30 6 API calls 13027->13028 13029 e19cc2 13028->13029 13038 e46a44 13039 e46a5c 13038->13039 13041 e46a52 13038->13041 13043 e4698d 13039->13043 13042 e46a76 __freea 13044 e4690a __fassign 4 API calls 13043->13044 13045 e4699f 13044->13045 13045->13042 12434 e18780 12435 e18786 12434->12435 12441 e46729 12435->12441 12437 e187a6 12440 e187a0 12448 e46672 12441->12448 12443 e18793 12443->12437 12444 e467b7 12443->12444 12446 e467c3 __fassign 12444->12446 12445 e467cd ___std_exception_copy 12445->12440 12446->12445 12464 e46740 12446->12464 12450 e4667e __fassign 12448->12450 12449 e46685 ___std_exception_copy 12449->12443 12450->12449 12452 e4a8c3 12450->12452 12453 e4a8cf __fassign 12452->12453 12456 e4a967 12453->12456 12455 e4a8ea 12455->12449 12459 e4a98a 12456->12459 12458 e4a9d0 __freea 12458->12455 12459->12458 12460 e4d82f 12459->12460 12462 e4d83c __fassign 12460->12462 12461 e4d867 RtlAllocateHeap 12461->12462 12463 e4d87a 12461->12463 12462->12461 12462->12463 12463->12458 12465 e46762 12464->12465 12467 e4674d __freea ___std_exception_copy 12464->12467 12465->12467 12468 e4a038 12465->12468 12467->12445 12469 e4a075 12468->12469 12470 e4a050 12468->12470 12469->12467 12470->12469 12472 e50439 12470->12472 12473 e50445 __fassign 12472->12473 12475 e5044d __dosmaperr ___std_exception_copy 12473->12475 12476 e5052b 12473->12476 12475->12469 12477 e5054d 12476->12477 12481 e50551 __dosmaperr ___std_exception_copy 12476->12481 12477->12481 12482 e500d2 12477->12482 12481->12475 12484 e500e3 12482->12484 12483 e50106 12483->12481 12486 e4fcc0 12483->12486 12484->12483 12493 e4a671 12484->12493 12487 e4fd0d 12486->12487 12531 e4690a 12487->12531 12490 e4ffbc std::future_error::future_error 12490->12481 12491 e4fd1c __cftof __fassign 12491->12490 12492 e4c719 GetPEB ExitProcess GetPEB RtlAllocateHeap __fassign 12491->12492 12539 e4b67d 12491->12539 12492->12491 12494 e4a67b __fassign 12493->12494 12495 e4d82f __fassign RtlAllocateHeap 12494->12495 12497 e4a694 __fassign __freea 12494->12497 12495->12497 12496 e4a722 12496->12483 12497->12496 12500 e48bec 12497->12500 12501 e48bf1 __fassign 12500->12501 12505 e48bfc __fassign 12501->12505 12506 e4d634 12501->12506 12520 e465ed 12505->12520 12507 e4d640 __fassign 12506->12507 12508 e4d69c ___std_exception_copy 12507->12508 12509 e4d726 12507->12509 12510 e4d81b __fassign 12507->12510 12512 e4d751 __fassign 12507->12512 12508->12505 12509->12512 12523 e4d62b 12509->12523 12511 e465ed __fassign 3 API calls 12510->12511 12513 e4d82e 12511->12513 12512->12508 12516 e4a671 __fassign 4 API calls 12512->12516 12518 e4d7a5 12512->12518 12516->12518 12517 e4d62b __fassign 4 API calls 12517->12512 12518->12508 12519 e4a671 __fassign 4 API calls 12518->12519 12519->12508 12526 e464c7 12520->12526 12524 e4a671 __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 12523->12524 12525 e4d630 12524->12525 12525->12517 12528 e464d5 __fassign 12526->12528 12527 e46520 12528->12527 12529 e4652b __fassign GetPEB ExitProcess GetPEB 12528->12529 12530 e4652a 12529->12530 12532 e4692a 12531->12532 12538 e46921 12531->12538 12533 e4a671 __fassign 4 API calls 12532->12533 12532->12538 12534 e4694a 12533->12534 12544 e4b5fb 12534->12544 12538->12491 12540 e4a671 __fassign 4 API calls 12539->12540 12541 e4b688 12540->12541 12542 e4b5fb __fassign 4 API calls 12541->12542 12543 e4b698 12542->12543 12543->12491 12545 e46960 12544->12545 12546 e4b60e 12544->12546 12548 e4b628 12545->12548 12546->12545 12552 e4f5ab 12546->12552 12549 e4b650 12548->12549 12550 e4b63b 12548->12550 12549->12538 12550->12549 12559 e4e6b1 12550->12559 12553 e4f5b7 __fassign 12552->12553 12554 e4a671 __fassign 4 API calls 12553->12554 12556 e4f5c0 __fassign 12554->12556 12555 e4f606 12555->12545 12556->12555 12557 e48bec __fassign 4 API calls 12556->12557 12558 e4f62b 12557->12558 12560 e4a671 __fassign 4 API calls 12559->12560 12561 e4e6bb 12560->12561 12564 e4e5c9 12561->12564 12563 e4e6c1 12563->12549 12568 e4e5d5 __fassign __freea 12564->12568 12565 e4e5f6 12565->12563 12566 e48bec __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 12567 e4e668 12566->12567 12569 e4e6a4 12567->12569 12570 e4a72e __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 12567->12570 12568->12565 12568->12566 12569->12563 12571 e4e695 12570->12571 12572 e4e4b0 __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 12571->12572 12572->12569 12686 e120c0 12689 e2c68b 12686->12689 12688 e120cc 12692 e2c3d5 12689->12692 12691 e2c69b 12691->12688 12693 e2c3e1 12692->12693 12694 e2c3eb 12692->12694 12695 e2c3be 12693->12695 12696 e2c39e 12693->12696 12694->12691 12705 e2cd0a 12695->12705 12696->12694 12701 e2ccd5 12696->12701 12699 e2c3d0 12699->12691 12702 e2cce3 InitializeCriticalSectionEx 12701->12702 12704 e2c3b7 12701->12704 12702->12704 12704->12691 12706 e2cd1f RtlInitializeConditionVariable 12705->12706 12706->12699 12707 e1e0c0 recv 12708 e1e122 recv 12707->12708 12709 e1e157 recv 12708->12709 12711 e1e191 12709->12711 12710 e1e2b3 std::future_error::future_error 12711->12710 12716 e2c6ac 12711->12716 12723 e2c452 12716->12723 12718 e1e2ee 12719 e2c26a 12718->12719 12720 e2c292 12719->12720 12721 e2c274 12719->12721 12720->12720 12721->12720 12740 e2c297 12721->12740 12724 e2c4a8 12723->12724 12726 e2c47a std::future_error::future_error 12723->12726 12724->12726 12729 e2cf6b 12724->12729 12726->12718 12727 e2c4fd __Xtime_diff_to_millis2 12727->12726 12728 e2cf6b _xtime_get GetSystemTimePreciseAsFileTime 12727->12728 12728->12727 12730 e2cf7a 12729->12730 12732 e2cf87 __aulldvrm 12729->12732 12730->12732 12733 e2cf44 12730->12733 12732->12727 12736 e2cbea 12733->12736 12737 e2cc07 12736->12737 12738 e2cbfb GetSystemTimePreciseAsFileTime 12736->12738 12737->12732 12738->12737 12743 e12ae0 12740->12743 12742 e2c2ae Concurrency::cancel_current_task 12751 e2bedf 12743->12751 12745 e12aff 12745->12742 12746 e12af4 __fassign 12746->12745 12747 e4a671 __fassign 4 API calls 12746->12747 12750 e46ccc 12747->12750 12748 e48bec __fassign 4 API calls 12749 e46cf6 12748->12749 12750->12748 12754 e2cc31 12751->12754 12755 e2cc3f InitOnceExecuteOnce 12754->12755 12757 e2bef2 12754->12757 12755->12757 12757->12746 12906 e18980 12908 e18aea 12906->12908 12909 e189d8 shared_ptr 12906->12909 12907 e15c10 6 API calls 12907->12909 12909->12907 12909->12908 13046 e12e00 13047 e12e28 13046->13047 13048 e2c68b __Mtx_init_in_situ 2 API calls 13047->13048 13049 e12e33 13048->13049 12758 e2d0c7 12759 e2d0d7 12758->12759 12760 e2d17f 12759->12760 12761 e2d17b RtlWakeAllConditionVariable 12759->12761 13252 e19f44 13253 e19f4c shared_ptr 13252->13253 13254 e1a953 Sleep CreateMutexA 13253->13254 13255 e1a01f shared_ptr 13253->13255 13256 e1a98e 13254->13256 12836 e13c47 12837 e13c51 12836->12837 12840 e13c5f 12837->12840 12843 e132d0 12837->12843 12838 e13c68 12840->12838 12841 e13810 4 API calls 12840->12841 12842 e13cdb 12841->12842 12844 e2c6ac GetSystemTimePreciseAsFileTime 12843->12844 12847 e13314 12844->12847 12845 e1336b 12846 e2c26a 5 API calls 12845->12846 12849 e1333c __Mtx_unlock 12846->12849 12847->12845 12847->12849 12862 e2bd4c 12847->12862 12850 e2c26a 5 API calls 12849->12850 12851 e13350 std::future_error::future_error 12849->12851 12852 e13377 12850->12852 12851->12840 12853 e2c6ac GetSystemTimePreciseAsFileTime 12852->12853 12854 e133af 12853->12854 12855 e2c26a 5 API calls 12854->12855 12856 e133b6 __Cnd_broadcast 12854->12856 12855->12856 12857 e2c26a 5 API calls 12856->12857 12858 e133d7 __Mtx_unlock 12856->12858 12857->12858 12859 e2c26a 5 API calls 12858->12859 12860 e133eb 12858->12860 12861 e1340e 12859->12861 12860->12840 12861->12840 12865 e2bb72 12862->12865 12864 e2bd5c 12864->12847 12866 e2bb9c 12865->12866 12867 e2cf6b _xtime_get GetSystemTimePreciseAsFileTime 12866->12867 12870 e2bba4 __Xtime_diff_to_millis2 std::future_error::future_error 12866->12870 12868 e2bbcf __Xtime_diff_to_millis2 12867->12868 12869 e2cf6b _xtime_get GetSystemTimePreciseAsFileTime 12868->12869 12868->12870 12869->12870 12870->12864 12765 e13c8e 12766 e13c98 12765->12766 12768 e13ca5 12766->12768 12773 e12410 12766->12773 12770 e13ccf 12768->12770 12777 e13810 12768->12777 12771 e13810 4 API calls 12770->12771 12772 e13cdb 12771->12772 12774 e12424 12773->12774 12781 e2b52d 12774->12781 12778 e1381c 12777->12778 12823 e12440 12778->12823 12789 e43aed 12781->12789 12783 e2b5a5 ___std_exception_copy 12796 e2b1ad 12783->12796 12785 e2b598 12792 e2af56 12785->12792 12788 e1242a 12788->12768 12800 e44f29 12789->12800 12791 e2b555 12791->12783 12791->12785 12791->12788 12793 e2af9f ___std_exception_copy 12792->12793 12795 e2afb2 shared_ptr 12793->12795 12806 e2b39f 12793->12806 12795->12788 12797 e2b1d8 12796->12797 12799 e2b1e1 shared_ptr 12796->12799 12798 e2b39f 5 API calls 12797->12798 12798->12799 12799->12788 12801 e44f2e __fassign 12800->12801 12801->12791 12802 e4d634 __fassign 4 API calls 12801->12802 12805 e48bfc __fassign 12801->12805 12802->12805 12803 e465ed __fassign 3 API calls 12804 e48c2f 12803->12804 12805->12803 12807 e2bedf InitOnceExecuteOnce 12806->12807 12808 e2b3e1 12807->12808 12809 e2b3e8 12808->12809 12817 e46cbb 12808->12817 12809->12795 12818 e46cc7 __fassign 12817->12818 12819 e4a671 __fassign 4 API calls 12818->12819 12820 e46ccc 12819->12820 12821 e48bec __fassign 4 API calls 12820->12821 12822 e46cf6 12821->12822 12826 e2b5d6 12823->12826 12825 e12472 12827 e2b5f1 Concurrency::cancel_current_task 12826->12827 12828 e48bec __fassign 4 API calls 12827->12828 12830 e2b658 __fassign std::future_error::future_error 12827->12830 12829 e2b69f 12828->12829 12830->12825 13244 e12b90 13245 e12bce 13244->13245 13246 e2b7fb TpReleaseWork 13245->13246 13247 e12bdb shared_ptr std::future_error::future_error 13246->13247 13393 e12b10 13394 e12b1a 13393->13394 13395 e12b1c 13393->13395 13396 e2c26a 5 API calls 13395->13396 13397 e12b22 13396->13397 13085 e287d0 13086 e2882a __cftof 13085->13086 13092 e29bb0 13086->13092 13090 e288d9 std::_Throw_future_error 13091 e2886c std::future_error::future_error 13105 e29ef0 13092->13105 13094 e29be5 13095 e12ce0 5 API calls 13094->13095 13096 e29c16 13095->13096 13109 e29f70 13096->13109 13098 e28854 13098->13091 13099 e143f0 13098->13099 13100 e2bedf InitOnceExecuteOnce 13099->13100 13101 e1440a 13100->13101 13102 e14411 13101->13102 13103 e46cbb 4 API calls 13101->13103 13102->13090 13104 e14424 13103->13104 13106 e29f0c 13105->13106 13107 e2c68b __Mtx_init_in_situ 2 API calls 13106->13107 13108 e29f17 13107->13108 13108->13094 13110 e29fef shared_ptr 13109->13110 13112 e2a058 13110->13112 13114 e2a210 13110->13114 13113 e2a03b 13113->13098 13115 e2a290 13114->13115 13121 e271d0 13115->13121 13117 e2a2cc shared_ptr 13118 e2a4be shared_ptr 13117->13118 13119 e13ee0 3 API calls 13117->13119 13118->13113 13120 e2a4a6 13119->13120 13120->13113 13122 e27211 13121->13122 13129 e13970 13122->13129 13124 e272ad __cftof 13125 e2c68b __Mtx_init_in_situ 2 API calls 13124->13125 13128 e27446 std::future_error::future_error 13124->13128 13126 e27401 13125->13126 13134 e12ec0 13126->13134 13128->13117 13130 e2c68b __Mtx_init_in_situ 2 API calls 13129->13130 13131 e139a7 13130->13131 13132 e2c68b __Mtx_init_in_situ 2 API calls 13131->13132 13133 e139e6 13132->13133 13133->13124 13135 e12f06 13134->13135 13138 e12f6f 13134->13138 13136 e2c6ac GetSystemTimePreciseAsFileTime 13135->13136 13137 e12f12 13136->13137 13140 e1301e 13137->13140 13143 e12f1d __Mtx_unlock 13137->13143 13139 e12fef 13138->13139 13145 e2c6ac GetSystemTimePreciseAsFileTime 13138->13145 13139->13128 13141 e2c26a 5 API calls 13140->13141 13142 e13024 13141->13142 13144 e2c26a 5 API calls 13142->13144 13143->13138 13143->13142 13146 e12fb9 13144->13146 13145->13146 13147 e2c26a 5 API calls 13146->13147 13148 e12fc0 __Mtx_unlock 13146->13148 13147->13148 13149 e2c26a 5 API calls 13148->13149 13150 e12fd8 __Cnd_broadcast 13148->13150 13149->13150 13150->13139 13151 e2c26a 5 API calls 13150->13151 13152 e1303c 13151->13152 13153 e2c6ac GetSystemTimePreciseAsFileTime 13152->13153 13163 e13080 shared_ptr __Mtx_unlock 13153->13163 13154 e131c5 13155 e2c26a 5 API calls 13154->13155 13156 e131cb 13155->13156 13157 e2c26a 5 API calls 13156->13157 13158 e131d1 13157->13158 13159 e2c26a 5 API calls 13158->13159 13165 e13193 __Mtx_unlock 13159->13165 13160 e131a7 std::future_error::future_error 13160->13128 13161 e2c26a 5 API calls 13162 e131dd 13161->13162 13163->13154 13163->13156 13163->13160 13164 e2c6ac GetSystemTimePreciseAsFileTime 13163->13164 13166 e1315f 13164->13166 13165->13160 13165->13161 13166->13154 13166->13158 13166->13165 13167 e2bd4c GetSystemTimePreciseAsFileTime 13166->13167 13167->13166 12975 e2d111 12977 e2d122 12975->12977 12976 e2d12a 12977->12976 12979 e2d199 12977->12979 12980 e2d1a7 SleepConditionVariableCS 12979->12980 12982 e2d1c0 12979->12982 12980->12982 12982->12977 12577 e1a856 12578 e1a870 12577->12578 12579 e1a892 shared_ptr 12577->12579 12578->12579 12580 e1a94e 12578->12580 12584 e1a8a0 12579->12584 12593 e17d30 12579->12593 12582 e1a953 Sleep CreateMutexA 12580->12582 12585 e1a98e 12582->12585 12583 e1a8ae 12583->12584 12586 e17d30 7 API calls 12583->12586 12587 e1a8b8 12586->12587 12587->12584 12588 e17d30 7 API calls 12587->12588 12589 e1a8c2 12588->12589 12589->12584 12590 e17d30 7 API calls 12589->12590 12591 e1a8cc 12590->12591 12591->12584 12592 e17d30 7 API calls 12591->12592 12592->12584 12594 e17d96 __cftof 12593->12594 12600 e17ee8 shared_ptr std::future_error::future_error 12594->12600 12632 e15c10 12594->12632 12596 e17dd2 12597 e15c10 6 API calls 12596->12597 12599 e17dff shared_ptr 12597->12599 12598 e17ed3 GetNativeSystemInfo 12601 e17ed7 12598->12601 12599->12598 12599->12600 12599->12601 12600->12583 12601->12600 12602 e18019 12601->12602 12603 e17f3f 12601->12603 12604 e15c10 6 API calls 12602->12604 12605 e15c10 6 API calls 12603->12605 12607 e1804c 12604->12607 12606 e17f67 12605->12606 12608 e15c10 6 API calls 12606->12608 12609 e15c10 6 API calls 12607->12609 12610 e17f86 12608->12610 12611 e1806b 12609->12611 12642 e48bbe 12610->12642 12613 e15c10 6 API calls 12611->12613 12614 e180a3 12613->12614 12615 e15c10 6 API calls 12614->12615 12616 e180f4 12615->12616 12617 e15c10 6 API calls 12616->12617 12618 e18113 12617->12618 12619 e15c10 6 API calls 12618->12619 12620 e1814b 12619->12620 12621 e15c10 6 API calls 12620->12621 12622 e1819c 12621->12622 12623 e15c10 6 API calls 12622->12623 12624 e181bb 12623->12624 12625 e15c10 6 API calls 12624->12625 12626 e181f3 12625->12626 12627 e15c10 6 API calls 12626->12627 12628 e18244 12627->12628 12629 e15c10 6 API calls 12628->12629 12630 e18263 12629->12630 12631 e15c10 6 API calls 12630->12631 12631->12600 12633 e15c54 12632->12633 12645 e14b30 12633->12645 12635 e15d17 shared_ptr std::future_error::future_error 12635->12596 12636 e15c7b __cftof 12636->12635 12637 e15da7 RegOpenKeyExA 12636->12637 12638 e15e00 RegCloseKey 12637->12638 12640 e15e26 12638->12640 12639 e15ea6 shared_ptr std::future_error::future_error 12639->12596 12640->12639 12641 e15c10 4 API calls 12640->12641 12673 e48868 12642->12673 12644 e48bdc 12644->12600 12647 e14ce5 12645->12647 12648 e14b92 12645->12648 12647->12636 12648->12647 12649 e46da6 12648->12649 12650 e46db4 12649->12650 12651 e46dc2 __fassign 12649->12651 12654 e46d19 12650->12654 12651->12648 12655 e4690a __fassign 4 API calls 12654->12655 12656 e46d2c 12655->12656 12659 e46d52 12656->12659 12658 e46d3d 12658->12648 12660 e46d8f 12659->12660 12661 e46d5f 12659->12661 12662 e4b67d 4 API calls 12660->12662 12664 e46d6e __fassign 12661->12664 12665 e4b6a1 12661->12665 12662->12664 12664->12658 12666 e4690a __fassign 4 API calls 12665->12666 12667 e4b6be 12666->12667 12669 e4b6ce std::future_error::future_error 12667->12669 12670 e4f1bf 12667->12670 12669->12664 12671 e4690a __fassign 4 API calls 12670->12671 12672 e4f1df __cftof __fassign __freea std::future_error::future_error 12671->12672 12672->12669 12674 e4887a 12673->12674 12675 e4690a __fassign 4 API calls 12674->12675 12678 e4888f ___std_exception_copy 12674->12678 12677 e488bf 12675->12677 12676 e46d52 4 API calls 12676->12677 12677->12676 12677->12678 12678->12644 12925 e1215a 12926 e2c6fc InitializeCriticalSectionEx 12925->12926 12927 e12164 12926->12927 12983 e19adc 12984 e19aea 12983->12984 12987 e19afe shared_ptr 12983->12987 12985 e1a917 12984->12985 12984->12987 12986 e1a953 Sleep CreateMutexA 12985->12986 12988 e1a98e 12986->12988 12989 e15c10 6 API calls 12987->12989 12990 e19b7c 12989->12990 12997 e18b30 12990->12997 12992 e19b8d 12993 e15c10 6 API calls 12992->12993 12994 e19cb1 12993->12994 12995 e18b30 6 API calls 12994->12995 12996 e19cc2 12995->12996 12998 e18b7c 12997->12998 12999 e15c10 6 API calls 12998->12999 13000 e18b97 shared_ptr std::future_error::future_error 12999->13000 13000->12992 13248 e13f9f 13249 e13fad 13248->13249 13251 e13fb6 13248->13251 13250 e12410 5 API calls 13249->13250 13250->13251

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 00E4652B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • ExitProcess.KERNEL32(?,?,00E4652A,?,?,?,?,?,00E47661), ref: 00E46567
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ExitProcess
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 621844428-0
                                                                                                                                                                                                                                                                        • Opcode ID: 5f767a97a43af938bfd5095905987a26342d977b1a1a7e04bcccd082704bd23d
                                                                                                                                                                                                                                                                        • Instruction ID: 1681fb227a9ef1031e422054e9bae7b2279f54d0aef7285ee6d3d93904b06a7e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f767a97a43af938bfd5095905987a26342d977b1a1a7e04bcccd082704bd23d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BAE086300411086FCE25BF18D849D4D3B59EB5275EF042C10F90D9A126CB29ED42C541
                                                                                                                                                                                                                                                                        Function 049A0C4E Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2204262100.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_49a0000_file.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 7382993936ac7cce9a21911580fa77a79e61f0bb061110ede4802bbaad31de6d
                                                                                                                                                                                                                                                                        • Instruction ID: 1f0731064e11967b85e7bd3ef333db585945c514a02c877a4f68af083e3c4a56
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7382993936ac7cce9a21911580fa77a79e61f0bb061110ede4802bbaad31de6d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE1193EB24D220BDB14189826B54AFB676ED1D6B30731C83BF806C5506E2992E6E7172
                                                                                                                                                                                                                                                                        Function 00E15C10 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 434COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                                                                                                                                                                                                                                                                        • API String ID: 0-3963862150
                                                                                                                                                                                                                                                                        • Opcode ID: d2fd4b0fdff712d78c32854356c1932cc8f90a6dcab22884d28c3efba9e19e0a
                                                                                                                                                                                                                                                                        • Instruction ID: 39127cb5279fc4d6411363a8485b21631a2064244f1400149dc553976e6a3885
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d2fd4b0fdff712d78c32854356c1932cc8f90a6dcab22884d28c3efba9e19e0a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22F1D071A002589FEB24DF14CD85BDEBBB9EB84304F5046A9E518B72C1DB749AC4CF91
                                                                                                                                                                                                                                                                        Function 00E19BA5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 92 e19ba5-e19d91 call e27a00 call e15c10 call e18b30 call e28220
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00E1A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00E73254), ref: 00E1A981
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID: T2
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-631260391
                                                                                                                                                                                                                                                                        • Opcode ID: 9d81af3b5af2324dce86289aba652f8c8cd6254c875ee01c96dbddd5440f8b5d
                                                                                                                                                                                                                                                                        • Instruction ID: fc5c75adb4bfbc3da6a08b0c67dda3d7691a2ce7f040a310018d5a85240825a8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d81af3b5af2324dce86289aba652f8c8cd6254c875ee01c96dbddd5440f8b5d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A3148716052448BEB08DB78EC99BEDF7A2EBC2324F249228E054F73D6C77999C08751
                                                                                                                                                                                                                                                                        Function 00E19F44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 114 e19f44-e19f64 118 e19f92-e19fae 114->118 119 e19f66-e19f72 114->119 122 e19fb0-e19fbc 118->122 123 e19fdc-e19ffb 118->123 120 e19f74-e19f82 119->120 121 e19f88-e19f8f call e2d663 119->121 120->121 126 e1a92b 120->126 121->118 128 e19fd2-e19fd9 call e2d663 122->128 129 e19fbe-e19fcc 122->129 124 e1a029-e1a916 call e280c0 123->124 125 e19ffd-e1a009 123->125 131 e1a00b-e1a019 125->131 132 e1a01f-e1a026 call e2d663 125->132 134 e1a953-e1a994 Sleep CreateMutexA 126->134 135 e1a92b call e46c6a 126->135 128->123 129->126 129->128 131->126 131->132 132->124 143 e1a9a7-e1a9a8 134->143 144 e1a996-e1a998 134->144 135->134 144->143 146 e1a99a-e1a9a5 144->146 146->143
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00E1A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00E73254), ref: 00E1A981
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID: T2
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-631260391
                                                                                                                                                                                                                                                                        • Opcode ID: e08bb39c2db8cde33d71711fd6d8d4698fc73a12d9eb5d0c868f971b2c30da30
                                                                                                                                                                                                                                                                        • Instruction ID: 16fe867e60e79a07836a7d88af15eff14f70a515ffd2dc03fc0063d49af0478e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e08bb39c2db8cde33d71711fd6d8d4698fc73a12d9eb5d0c868f971b2c30da30
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 733146317051009BEB089B78EC98BFCB7A2EBCA314F289229E014F72D6C73599C08752
                                                                                                                                                                                                                                                                        Function 00E1A079 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 148 e1a079-e1a099 152 e1a0c7-e1a0e3 148->152 153 e1a09b-e1a0a7 148->153 156 e1a111-e1a130 152->156 157 e1a0e5-e1a0f1 152->157 154 e1a0a9-e1a0b7 153->154 155 e1a0bd-e1a0c4 call e2d663 153->155 154->155 160 e1a930-e1a994 call e46c6a Sleep CreateMutexA 154->160 155->152 158 e1a132-e1a13e 156->158 159 e1a15e-e1a916 call e280c0 156->159 162 e1a0f3-e1a101 157->162 163 e1a107-e1a10e call e2d663 157->163 165 e1a140-e1a14e 158->165 166 e1a154-e1a15b call e2d663 158->166 178 e1a9a7-e1a9a8 160->178 179 e1a996-e1a998 160->179 162->160 162->163 163->156 165->160 165->166 166->159 179->178 180 e1a99a-e1a9a5 179->180 180->178
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00E1A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00E73254), ref: 00E1A981
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID: T2
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-631260391
                                                                                                                                                                                                                                                                        • Opcode ID: 7f6c6974c2bd9e80711b54ee69756241aedc2db50a82c493f7a2da3e247267af
                                                                                                                                                                                                                                                                        • Instruction ID: 0a613158db99dd3b5cf9945f3cc7be0f1602336a1d7f28e8365b7e37d9a1ec47
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f6c6974c2bd9e80711b54ee69756241aedc2db50a82c493f7a2da3e247267af
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 943128717061009BEB18DB78ED89BBDB7A2EBC6314F285228E014F72D5C77559C08652
                                                                                                                                                                                                                                                                        Function 00E1A1AE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 182 e1a1ae-e1a1ce 186 e1a1d0-e1a1dc 182->186 187 e1a1fc-e1a218 182->187 188 e1a1f2-e1a1f9 call e2d663 186->188 189 e1a1de-e1a1ec 186->189 190 e1a246-e1a265 187->190 191 e1a21a-e1a226 187->191 188->187 189->188 192 e1a935 189->192 196 e1a293-e1a916 call e280c0 190->196 197 e1a267-e1a273 190->197 194 e1a228-e1a236 191->194 195 e1a23c-e1a243 call e2d663 191->195 202 e1a953-e1a994 Sleep CreateMutexA 192->202 203 e1a935 call e46c6a 192->203 194->192 194->195 195->190 198 e1a275-e1a283 197->198 199 e1a289-e1a290 call e2d663 197->199 198->192 198->199 199->196 211 e1a9a7-e1a9a8 202->211 212 e1a996-e1a998 202->212 203->202 212->211 214 e1a99a-e1a9a5 212->214 214->211
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00E1A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00E73254), ref: 00E1A981
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID: T2
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-631260391
                                                                                                                                                                                                                                                                        • Opcode ID: cc652010c09bf4eb7ad10cf96c367c97ad2eb654ad9c3df5c2a60f2c2b840cd2
                                                                                                                                                                                                                                                                        • Instruction ID: 7f1bdb3efd3083891f59cbefa9f0ab9eb72408d3c72322ce977ac08df687fe34
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc652010c09bf4eb7ad10cf96c367c97ad2eb654ad9c3df5c2a60f2c2b840cd2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 733105717061409BEB189B78EC89BFDB7A2EFC6314F285228E014B72E5D77699C08652
                                                                                                                                                                                                                                                                        Function 00E1A418 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 216 e1a418-e1a438 220 e1a466-e1a482 216->220 221 e1a43a-e1a446 216->221 222 e1a4b0-e1a4cf 220->222 223 e1a484-e1a490 220->223 224 e1a448-e1a456 221->224 225 e1a45c-e1a463 call e2d663 221->225 230 e1a4d1-e1a4dd 222->230 231 e1a4fd-e1a916 call e280c0 222->231 228 e1a492-e1a4a0 223->228 229 e1a4a6-e1a4ad call e2d663 223->229 224->225 226 e1a93f-e1a949 call e46c6a * 2 224->226 225->220 247 e1a94e 226->247 248 e1a949 call e46c6a 226->248 228->226 228->229 229->222 236 e1a4f3-e1a4fa call e2d663 230->236 237 e1a4df-e1a4ed 230->237 236->231 237->226 237->236 249 e1a953-e1a994 Sleep CreateMutexA 247->249 250 e1a94e call e46c6a 247->250 248->247 252 e1a9a7-e1a9a8 249->252 253 e1a996-e1a998 249->253 250->249 253->252 254 e1a99a-e1a9a5 253->254 254->252
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00E1A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00E73254), ref: 00E1A981
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID: T2
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-631260391
                                                                                                                                                                                                                                                                        • Opcode ID: 54e29b31394e09173c3f0c7c2fb55d70b7341925d41f012fc14e08b0d6d274a1
                                                                                                                                                                                                                                                                        • Instruction ID: 014de02b0a1e8eaedd2c4673d4c9e421358822db4ced4db896b396f87474a660
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 54e29b31394e09173c3f0c7c2fb55d70b7341925d41f012fc14e08b0d6d274a1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 873107716061009BEB189B78EDC9BFDB7A2EFC2318F286228E064B72D5D77559C08652
                                                                                                                                                                                                                                                                        Function 00E1A54D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 256 e1a54d-e1a56d 260 e1a59b-e1a5b7 256->260 261 e1a56f-e1a57b 256->261 264 e1a5e5-e1a604 260->264 265 e1a5b9-e1a5c5 260->265 262 e1a591-e1a598 call e2d663 261->262 263 e1a57d-e1a58b 261->263 262->260 263->262 268 e1a944-e1a949 call e46c6a 263->268 266 e1a632-e1a916 call e280c0 264->266 267 e1a606-e1a612 264->267 270 e1a5c7-e1a5d5 265->270 271 e1a5db-e1a5e2 call e2d663 265->271 272 e1a614-e1a622 267->272 273 e1a628-e1a62f call e2d663 267->273 283 e1a94e 268->283 284 e1a949 call e46c6a 268->284 270->268 270->271 271->264 272->268 272->273 273->266 286 e1a953-e1a994 Sleep CreateMutexA 283->286 287 e1a94e call e46c6a 283->287 284->283 290 e1a9a7-e1a9a8 286->290 291 e1a996-e1a998 286->291 287->286 291->290 292 e1a99a-e1a9a5 291->292 292->290
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00E1A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00E73254), ref: 00E1A981
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID: T2
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-631260391
                                                                                                                                                                                                                                                                        • Opcode ID: bbd086df6b7e98593a234ee935fd7ab8d3a1b4798bf5f451d8ae5e215ccbf4e3
                                                                                                                                                                                                                                                                        • Instruction ID: 775abbc36415552aa4cf69bd378a82b6a2921673ead3da9c60b588dc6c026b92
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bbd086df6b7e98593a234ee935fd7ab8d3a1b4798bf5f451d8ae5e215ccbf4e3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9312A316061408BEB18DB78EDC9BBCB7A2EBC6318F285228E054F72D5C73599C08712
                                                                                                                                                                                                                                                                        Function 00E1A682 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 294 e1a682-e1a6a2 298 e1a6d0-e1a6ec 294->298 299 e1a6a4-e1a6b0 294->299 302 e1a71a-e1a739 298->302 303 e1a6ee-e1a6fa 298->303 300 e1a6b2-e1a6c0 299->300 301 e1a6c6-e1a6cd call e2d663 299->301 300->301 308 e1a949 300->308 301->298 306 e1a767-e1a916 call e280c0 302->306 307 e1a73b-e1a747 302->307 304 e1a710-e1a717 call e2d663 303->304 305 e1a6fc-e1a70a 303->305 304->302 305->304 305->308 311 e1a749-e1a757 307->311 312 e1a75d-e1a764 call e2d663 307->312 313 e1a94e 308->313 314 e1a949 call e46c6a 308->314 311->308 311->312 312->306 317 e1a953-e1a994 Sleep CreateMutexA 313->317 318 e1a94e call e46c6a 313->318 314->313 326 e1a9a7-e1a9a8 317->326 327 e1a996-e1a998 317->327 318->317 327->326 328 e1a99a-e1a9a5 327->328 328->326
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00E1A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00E73254), ref: 00E1A981
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID: T2
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-631260391
                                                                                                                                                                                                                                                                        • Opcode ID: 5f765b72d59fbeddf8926b5b9d849554d127254c598244284dc43b4251c93ec5
                                                                                                                                                                                                                                                                        • Instruction ID: db91c327c5e1a0696acee81578d597691bc1620ab3d4cf1a70babb77498400c5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f765b72d59fbeddf8926b5b9d849554d127254c598244284dc43b4251c93ec5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E23128716061409BEB18DB78ED89BBDB7A2EBC2324F289229E054F72D5C73559C08652
                                                                                                                                                                                                                                                                        Function 00E19ADC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 330 e19adc-e19ae8 331 e19aea-e19af8 330->331 332 e19afe-e19d91 call e2d663 call e27a00 call e15c10 call e18b30 call e28220 call e27a00 call e15c10 call e18b30 call e28220 330->332 331->332 333 e1a917 331->333 335 e1a953-e1a994 Sleep CreateMutexA 333->335 336 e1a917 call e46c6a 333->336 341 e1a9a7-e1a9a8 335->341 342 e1a996-e1a998 335->342 336->335 342->341 344 e1a99a-e1a9a5 342->344 344->341
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00E1A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00E73254), ref: 00E1A981
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID: T2
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-631260391
                                                                                                                                                                                                                                                                        • Opcode ID: 48766e3a6c80e3c1e29fe6dafd6d612e44f2e94f1b6edf7d29504c8ffc912a81
                                                                                                                                                                                                                                                                        • Instruction ID: 75f6cd12a3c0c2596d75cd9b84b0d7fc0440d8f7edbc001ab329eb9b34b797d0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48766e3a6c80e3c1e29fe6dafd6d612e44f2e94f1b6edf7d29504c8ffc912a81
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60214C317052009BFB189F68FCD5BACF7A1EBC1314F245229E418F72D5D77559C08611
                                                                                                                                                                                                                                                                        Function 00E1A856 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 398 e1a856-e1a86e 399 e1a870-e1a87c 398->399 400 e1a89c-e1a89e 398->400 401 e1a892-e1a899 call e2d663 399->401 402 e1a87e-e1a88c 399->402 403 e1a8a0-e1a8a7 400->403 404 e1a8a9-e1a8b1 call e17d30 400->404 401->400 402->401 405 e1a94e 402->405 407 e1a8eb-e1a916 call e280c0 403->407 414 e1a8b3-e1a8bb call e17d30 404->414 415 e1a8e4-e1a8e6 404->415 409 e1a953-e1a987 Sleep CreateMutexA 405->409 410 e1a94e call e46c6a 405->410 417 e1a98e-e1a994 409->417 410->409 414->415 423 e1a8bd-e1a8c5 call e17d30 414->423 415->407 419 e1a9a7-e1a9a8 417->419 420 e1a996-e1a998 417->420 420->419 422 e1a99a-e1a9a5 420->422 422->419 423->415 427 e1a8c7-e1a8cf call e17d30 423->427 427->415 430 e1a8d1-e1a8d9 call e17d30 427->430 430->415 433 e1a8db-e1a8e2 430->433 433->407
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00E1A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00E73254), ref: 00E1A981
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID: T2
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-631260391
                                                                                                                                                                                                                                                                        • Opcode ID: 566a1a0d57b645202a6ce32f9452385b2473a69b90d22b7d3150331800930159
                                                                                                                                                                                                                                                                        • Instruction ID: 50c5ef31ca4cf27d798c319d299a80a0de637108d64934506915f0ca11d656b9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 566a1a0d57b645202a6ce32f9452385b2473a69b90d22b7d3150331800930159
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C721307124A2049AF7285B6CEC9E7FDF3A1DFC2704F282536E544F62D2CA7645C15153
                                                                                                                                                                                                                                                                        Function 00E1A34F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 375 e1a34f-e1a35b 376 e1a371-e1a39a call e2d663 375->376 377 e1a35d-e1a36b 375->377 383 e1a3c8-e1a916 call e280c0 376->383 384 e1a39c-e1a3a8 376->384 377->376 378 e1a93a 377->378 380 e1a953-e1a994 Sleep CreateMutexA 378->380 381 e1a93a call e46c6a 378->381 389 e1a9a7-e1a9a8 380->389 390 e1a996-e1a998 380->390 381->380 387 e1a3aa-e1a3b8 384->387 388 e1a3be-e1a3c5 call e2d663 384->388 387->378 387->388 388->383 390->389 394 e1a99a-e1a9a5 390->394 394->389
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00E1A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00E73254), ref: 00E1A981
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID: T2
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-631260391
                                                                                                                                                                                                                                                                        • Opcode ID: 13bbeaf83980f64259c28537f535ac9391a12134ae23b48aa64a495887eb4acc
                                                                                                                                                                                                                                                                        • Instruction ID: 74b098e3cf241dd68187578abe58e200c7133cf68f06d780dd50eb5bc1b14d27
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 13bbeaf83980f64259c28537f535ac9391a12134ae23b48aa64a495887eb4acc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 902149317062009BFB189B68EC89BBCF7A2EBC2315F285239E418F76D5C77955C08252
                                                                                                                                                                                                                                                                        Function 00E17D30 Relevance: 1.9, APIs: 1, Instructions: 426COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 561 e17d30-e17db2 call e440f0 565 e18356-e18373 call e2cff1 561->565 566 e17db8-e17de0 call e27a00 call e15c10 561->566 573 e17de2 566->573 574 e17de4-e17e06 call e27a00 call e15c10 566->574 573->574 579 e17e08 574->579 580 e17e0a-e17e23 574->580 579->580 583 e17e25-e17e34 580->583 584 e17e54-e17e7f 580->584 585 e17e36-e17e44 583->585 586 e17e4a-e17e51 call e2d663 583->586 587 e17e81-e17e90 584->587 588 e17eb0-e17ed1 584->588 585->586 589 e18374 call e46c6a 585->589 586->584 591 e17e92-e17ea0 587->591 592 e17ea6-e17ead call e2d663 587->592 593 e17ed3-e17ed5 GetNativeSystemInfo 588->593 594 e17ed7-e17edc 588->594 602 e18379-e1837f call e46c6a 589->602 591->589 591->592 592->588 595 e17edd-e17ee6 593->595 594->595 600 e17f04-e17f07 595->600 601 e17ee8-e17eef 595->601 606 e182f7-e182fa 600->606 607 e17f0d-e17f16 600->607 604 e18351 601->604 605 e17ef5-e17eff 601->605 604->565 609 e1834c 605->609 606->604 612 e182fc-e18305 606->612 610 e17f29-e17f2c 607->610 611 e17f18-e17f24 607->611 609->604 614 e17f32-e17f39 610->614 615 e182d4-e182d6 610->615 611->609 616 e18307-e1830b 612->616 617 e1832c-e1832f 612->617 620 e18019-e182bd call e27a00 call e15c10 call e27a00 call e15c10 call e15d50 call e27a00 call e15c10 call e15730 call e27a00 call e15c10 call e27a00 call e15c10 call e15d50 call e27a00 call e15c10 call e15730 call e27a00 call e15c10 call e27a00 call e15c10 call e15d50 call e27a00 call e15c10 call e15730 call e27a00 call e15c10 call e27a00 call e15c10 call e15d50 call e27a00 call e15c10 call e15730 614->620 621 e17f3f-e17f9b call e27a00 call e15c10 call e27a00 call e15c10 call e15d50 614->621 618 e182e4-e182e7 615->618 619 e182d8-e182e2 615->619 622 e18320-e1832a 616->622 623 e1830d-e18312 616->623 624 e18331-e1833b 617->624 625 e1833d-e18349 617->625 618->604 627 e182e9-e182f5 618->627 619->609 658 e182c3-e182cc 620->658 646 e17fa0-e17fa7 621->646 622->604 623->622 629 e18314-e1831e 623->629 624->604 625->609 627->609 629->604 648 e17fa9 646->648 649 e17fab-e17fcb call e48bbe 646->649 648->649 655 e18002-e18004 649->655 656 e17fcd-e17fdc 649->656 655->658 659 e1800a-e18014 655->659 661 e17ff2-e17fff call e2d663 656->661 662 e17fde-e17fec 656->662 658->606 664 e182ce 658->664 659->658 661->655 662->602 662->661 664->615
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E17ED3
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: InfoNativeSystem
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1721193555-0
                                                                                                                                                                                                                                                                        • Opcode ID: 831c414ba87d82c46e466fc6c8da0e46db79f3079241c3108fda16d89801d84d
                                                                                                                                                                                                                                                                        • Instruction ID: 92ed313733253b785477ebb3412a3f5698c907c1d53bc6fb65d5867021982d52
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 831c414ba87d82c46e466fc6c8da0e46db79f3079241c3108fda16d89801d84d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65E1F3B1E00214DBDB14BB289D473DE7AB1AB85724F94628CE459773C2DB744EC58BC2
                                                                                                                                                                                                                                                                        Function 00E4D82F Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 860 e4d82f-e4d83a 861 e4d83c-e4d846 860->861 862 e4d848-e4d84e 860->862 861->862 863 e4d87c-e4d887 call e475f6 861->863 864 e4d867-e4d878 RtlAllocateHeap 862->864 865 e4d850-e4d851 862->865 870 e4d889-e4d88b 863->870 866 e4d853-e4d85a call e49dc0 864->866 867 e4d87a 864->867 865->864 866->863 873 e4d85c-e4d865 call e48e36 866->873 867->870 873->863 873->864
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E4A813,00000001,00000364,00000006,000000FF,?,00E4EE3F,?,00000004,00000000,?,?), ref: 00E4D870
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                        • Opcode ID: 5737c74e8a8260c060479e82fd298871f62c41559518bb31ea839235799ee325
                                                                                                                                                                                                                                                                        • Instruction ID: 59cd101d3dabdd2518c9258733b2802c44009f019d1efa941eb235fc549a41be
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5737c74e8a8260c060479e82fd298871f62c41559518bb31ea839235799ee325
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3BF0E93250D12466DB296A72BC02B7B3799DF99770B15B021EC04F7191DA20DC0085E0
                                                                                                                                                                                                                                                                        Function 00E187B2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetFileAttributesA.KERNEL32(?,00E1DA1D,?,?,?,?), ref: 00E187B9
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                                                                                                                        • Opcode ID: 92c95fcad2359ca9c6be26101a9021c9f762bc9a3e07d3736fed21eb7d13a338
                                                                                                                                                                                                                                                                        • Instruction ID: 678b676f808e7ccceb379b121a1ade337cb4b2c8ed82af8f17191891b506597b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92c95fcad2359ca9c6be26101a9021c9f762bc9a3e07d3736fed21eb7d13a338
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8C08C3801260009FD1C053842948F83349AB87BFC3F43B85E0B0FB1E1CB356887A210
                                                                                                                                                                                                                                                                        Function 00E187B0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetFileAttributesA.KERNEL32(?,00E1DA1D,?,?,?,?), ref: 00E187B9
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                                                                                                                        • Opcode ID: 673264bad21cc6d932995451d93800cca0239e2fa70fb4c93710273367621167
                                                                                                                                                                                                                                                                        • Instruction ID: 6ab6626f8a761e3362f0fbd22c5bef6eee5e12714d8348f2f8c19ba1fda1141b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 673264bad21cc6d932995451d93800cca0239e2fa70fb4c93710273367621167
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59C08C380122004AFA1C4A3892948B43209AB43B6D3F02B99E071FB1E1CB32D483D6A0
                                                                                                                                                                                                                                                                        Function 00E1B1A0 Relevance: 1.5, APIs: 1, Instructions: 244COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E1B3C8
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Initialize
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2538663250-0
                                                                                                                                                                                                                                                                        • Opcode ID: 7f7ac8ddec6425e0e34a89fbdfccfcfb96deae77124305228a04118593ac852a
                                                                                                                                                                                                                                                                        • Instruction ID: 6cdd24e4b93737c43a2f0bed8c5820d01f22b8ed78e536f5b1dd16dafe113bce
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f7ac8ddec6425e0e34a89fbdfccfcfb96deae77124305228a04118593ac852a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03B11670A11268DFEB28CF14CD94BDEB7B5EF59304F5085D8E809A7281D775AA88CF90
                                                                                                                                                                                                                                                                        Function 049A0C58 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2204262100.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_49a0000_file.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 67c688dcc58b8e9517713ea2a1c62033835fc4fbde055e28ab142466a1d2cd58
                                                                                                                                                                                                                                                                        • Instruction ID: 93349062a179b6905cca4eeed3a26ac3191856e77e210fd27170144c30ad6424
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 67c688dcc58b8e9517713ea2a1c62033835fc4fbde055e28ab142466a1d2cd58
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 881106FB24D210BDB14189826B24AFB67BED1C6B30731C83BF807C6506E2952E5D7172
                                                                                                                                                                                                                                                                        Function 049A0C64 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2204262100.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_49a0000_file.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 52b13388c608af71e48d5e4adec1912a8e5690c5b41114b1a4b79291d6476ec4
                                                                                                                                                                                                                                                                        • Instruction ID: 9c813976c99ba63e4f3a8e69f366de340cd1d83d72df82acb6819b8387112cfe
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 52b13388c608af71e48d5e4adec1912a8e5690c5b41114b1a4b79291d6476ec4
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F11A5EB24D2107DB14189827B54AFB676EE1D6B30731C83BF806C5506E2992E5E7172
                                                                                                                                                                                                                                                                        Function 049A0CAB Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2204262100.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_49a0000_file.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: cc4a1086e785b110b6af23befb601767c4b3a219aafe72e52a8986e05f4b23c1
                                                                                                                                                                                                                                                                        • Instruction ID: 6338be5a71d104259680b22ffe581bd83fb6faa2c7bce16b949aea670390364e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc4a1086e785b110b6af23befb601767c4b3a219aafe72e52a8986e05f4b23c1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9301FCF724D340BDB2418995AB44DF67B6DD6C66343308C7FF806C6043E2552A2DB172
                                                                                                                                                                                                                                                                        Function 049A0C97 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2204262100.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_49a0000_file.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8520f264cda98ff3462cecbcaad144de7b5ed45d0b60d59701aa0b273c247299
                                                                                                                                                                                                                                                                        • Instruction ID: d466a3a8d8d9269f66b5117773a46a15ed4e0c635ae617efc7eaea8826fb432a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8520f264cda98ff3462cecbcaad144de7b5ed45d0b60d59701aa0b273c247299
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74F06DBB30D210ADB1418996BB50AF767AED2D6B30730CC36F80AC6142E2953A697171
                                                                                                                                                                                                                                                                        Function 049A0CF9 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2204262100.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_49a0000_file.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 4af95b70c9627c754ea9471dec2d12f554b2cb5a7d99cbcee749d9954d01b212
                                                                                                                                                                                                                                                                        • Instruction ID: fefb673f5fa9d1885e3362a34a6428f028706683ceb3e3a77688a0c0c35023f4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4af95b70c9627c754ea9471dec2d12f554b2cb5a7d99cbcee749d9954d01b212
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0FF081FB34D210BDB1418992AB50AFA67AED6D6B30731CC3AF407C6102F2952E6D71B1
                                                                                                                                                                                                                                                                        Function 049A0CDD Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2204262100.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_49a0000_file.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d0cd9fd3d08364f7ea3f7a641dff96853e8a48e0dfe4523b498e13b87efaba1f
                                                                                                                                                                                                                                                                        • Instruction ID: 28909626df5ffb44303612f183e9798169e13069dd1076d3e1981dfe2c4ef2d8
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0cd9fd3d08364f7ea3f7a641dff96853e8a48e0dfe4523b498e13b87efaba1f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34F05EE720D250BCF19198927B54BF7576EC2D6734731C93BF406C4502E28A2A6E7172

                                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                                        Function 00E531A8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: __floor_pentium4
                                                                                                                                                                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                                        • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                                                        • Opcode ID: bd2e3352ce1b07becec4d0d2fc25984898d0aea7d93f14cd2f141d1de48f7c50
                                                                                                                                                                                                                                                                        • Instruction ID: 8fd947b678f46bb6113705f4e2cc4f829beb2cb33745161a4e4ba3cafcf762a2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd2e3352ce1b07becec4d0d2fc25984898d0aea7d93f14cd2f141d1de48f7c50
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3EC24EB1E046288FDB25CE28DD407EAB3B5EB4434AF1455EAD84DF7240E775AE898F40
                                                                                                                                                                                                                                                                        Function 00E1E0C0 Relevance: 4.6, APIs: 3, Instructions: 102networkCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • recv.WS2_32(?,?,00000004,00000000), ref: 00E1E10B
                                                                                                                                                                                                                                                                        • recv.WS2_32(?,?,00000008,00000000), ref: 00E1E140
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: recv
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1507349165-0
                                                                                                                                                                                                                                                                        • Opcode ID: 31f3aa4546e37df5f6c81866fbd8c3f33b976245e347cf76c5c0671fb8facdbd
                                                                                                                                                                                                                                                                        • Instruction ID: 13a9d80570b3949b1833c25bb048fb6314328a4dfd3d7d94c32fb3102a8a869f
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 31f3aa4546e37df5f6c81866fbd8c3f33b976245e347cf76c5c0671fb8facdbd
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2931C771A402589FD720CB69DC85BEF77BCEB08728F101625F915F7391D674A8888F60
                                                                                                                                                                                                                                                                        Function 00E52D10 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 376a5576fd4b68412969484e8d56b81b9300990959441ba6e7d287c5c1a7ddeb
                                                                                                                                                                                                                                                                        • Instruction ID: f6d567ffe1460f4157a4c911ad2bea4b34f42cce77c49a97823cd303a4f68744
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 376a5576fd4b68412969484e8d56b81b9300990959441ba6e7d287c5c1a7ddeb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3F15C71E012199BDF14CFA8C9806AEB7F1FF49315F25866DD919BB380D731AE058B90
                                                                                                                                                                                                                                                                        Function 00E2CBEA Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetSystemTimePreciseAsFileTime.KERNEL32(?,00E2CF52,?,00000003,00000003,?,00E2CF87,?,?,?,00000003,00000003,?,00E2C4FD,00E12FB9,00000001), ref: 00E2CC03
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Time$FilePreciseSystem
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1802150274-0
                                                                                                                                                                                                                                                                        • Opcode ID: 29664b668a6074a14635f084cc345bb0be9b0575f2168b38681794680cf97171
                                                                                                                                                                                                                                                                        • Instruction ID: 210b5a467086b3965cd0c93484e71247f2237a4c0223bdd011746fd7caaafde0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29664b668a6074a14635f084cc345bb0be9b0575f2168b38681794680cf97171
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AFD012325426389B8A556B95FC058EEFB58DF45B683145122ED0D77130CAD16C40DBD5
                                                                                                                                                                                                                                                                        Function 00E47F36 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID: 0
                                                                                                                                                                                                                                                                        • API String ID: 0-4108050209
                                                                                                                                                                                                                                                                        • Opcode ID: 64669babd631c3e79488d27d076faf6f68bd25e965727fa38eff46ce7159b6c7
                                                                                                                                                                                                                                                                        • Instruction ID: 8c22457309bf093a004427c77028f7d3bf12a518077d507c5029eec237bb49ea
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 64669babd631c3e79488d27d076faf6f68bd25e965727fa38eff46ce7159b6c7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B1517B707186045AEB388A28BA957BE67DA9F51308F14351AE4C2F7392CF629D4DC291
                                                                                                                                                                                                                                                                        Function 00E14DE0 Relevance: .7, Instructions: 701COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e82ebf46ccfcea1ad2b444bcc9baa22ed2ba85e844da2acef37a1fd7b3ba6043
                                                                                                                                                                                                                                                                        • Instruction ID: 026806f97f8073bcb1b32bef0298f5302ef041c021cb8310d99a709cb21a4c81
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e82ebf46ccfcea1ad2b444bcc9baa22ed2ba85e844da2acef37a1fd7b3ba6043
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 412260B3F515144BDB0CCB9DDCA27ECB2E3AFD8218B0E903DA40AE3345EA79D9158644
                                                                                                                                                                                                                                                                        Function 00E57049 Relevance: .3, Instructions: 275COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: e42f78b563cdb3a4eefeb73c3cc235037d8df8920942e6e353eeee7359a76e62
                                                                                                                                                                                                                                                                        • Instruction ID: 44f7ef013faa8a4e8b890aa778f062041af936daba91fd71a213b444bb8991ba
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e42f78b563cdb3a4eefeb73c3cc235037d8df8920942e6e353eeee7359a76e62
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9B16A312146048FD714CF28D486BA57BE0FF4536AF259A58ECD9DF2A1C335E9A6CB40
                                                                                                                                                                                                                                                                        Function 00E14B30 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8de99bd84d41bc60445db6286c523cc6c87bfca4f17e7dcdace73234b346265e
                                                                                                                                                                                                                                                                        • Instruction ID: 654d7de853a780616d06b803c48410798ffcbfd136d81fb3c231b95fa7d4f87a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8de99bd84d41bc60445db6286c523cc6c87bfca4f17e7dcdace73234b346265e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1281FFB1A042458FEB15CF69E890BEEFBF1FB19300F151669D954B7392C3319989CBA0
                                                                                                                                                                                                                                                                        Function 00E578BB Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 6d9c3c92ce7dda8d91ca80334f7834e173f44fbc2e63121c3a6f629e7ed4c7ea
                                                                                                                                                                                                                                                                        • Instruction ID: d23c4c27f42e4a3b5e8b5c9707bfb7b200b4b717139d9dfedd4db1031cd656ab
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d9c3c92ce7dda8d91ca80334f7834e173f44fbc2e63121c3a6f629e7ed4c7ea
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1021B673F204394B770CC47E8C5227DB6E1C78C541745423AE8A6EA2C1D968D917E2E4
                                                                                                                                                                                                                                                                        Function 00E5779B Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 36045080d8a0b67743f02e6acd7bca56fc3f405101f5e2f989fac2c0762a378d
                                                                                                                                                                                                                                                                        • Instruction ID: e3ac75a371d1c5d43faf8cdec879ff95fae65ef5ff6625f0b328ad47daec285b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 36045080d8a0b67743f02e6acd7bca56fc3f405101f5e2f989fac2c0762a378d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F118623F30C355B775C816D8C172BAA5D2EBD825071F533AD826F7284E9A4DE23D290
                                                                                                                                                                                                                                                                        Function 00E58860 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 69368e33383e1e94eef2ceab35efabe13634146fb6e6488aa9fcdc9ed388e530
                                                                                                                                                                                                                                                                        • Instruction ID: 9ad59974b643b744ef843189915c0e30de1d1a5264043b12e83dac18c00d0808
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 69368e33383e1e94eef2ceab35efabe13634146fb6e6488aa9fcdc9ed388e530
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22112E7720014183E60C862DCAF46B7A795EBC532B7EC6B75D8417B754DA22D94D9600
                                                                                                                                                                                                                                                                        Function 00E4A302 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 8bfb7b8e78c370f2913f61a25c6defe040cdd2114a4e27868ad6e7523cb31ccb
                                                                                                                                                                                                                                                                        • Instruction ID: 9564f3988a40aa71d1a8b663b19a50883f318ed2e74609a8dcb4cab876fa6475
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8bfb7b8e78c370f2913f61a25c6defe040cdd2114a4e27868ad6e7523cb31ccb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7BE08C32961228EBCB14DF98E90498EF3FCEB49B10B6910A6F501E3150D270DE00C7D0
                                                                                                                                                                                                                                                                        Function 00E4CBDF Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: _strrchr
                                                                                                                                                                                                                                                                        • String ID: v
                                                                                                                                                                                                                                                                        • API String ID: 3213747228-1361604894
                                                                                                                                                                                                                                                                        • Opcode ID: e735d7118d15e2b04af68ee7be9476ee50b6c15cebd4be360e770f4c3f107c3f
                                                                                                                                                                                                                                                                        • Instruction ID: b7bac414bb533b9e896c7bfcdbd4734c1f460a706ca87a19d4020077db76960c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e735d7118d15e2b04af68ee7be9476ee50b6c15cebd4be360e770f4c3f107c3f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7BB12332E026459FDB15CF28D8817FEBBE5EF45344F25916AE855FB242D6348D02CBA0
                                                                                                                                                                                                                                                                        Function 00E12EC0 Relevance: 7.8, APIs: 5, Instructions: 272COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Mtx_unlock$Cnd_broadcast
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 32384418-0
                                                                                                                                                                                                                                                                        • Opcode ID: 7810267772885308c32a46534d17bc1936e44f1ae18e714b90d3d70244a082c7
                                                                                                                                                                                                                                                                        • Instruction ID: d01cbb7547d61843bac4b57d186cb6134c75ed4b57dff59418161302d23f44e5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7810267772885308c32a46534d17bc1936e44f1ae18e714b90d3d70244a082c7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10A1F1B1A01615EFDB20DF74D94479AB7E8FF18318F14A129E816F7241EB31EA84CB91
                                                                                                                                                                                                                                                                        Function 00E2BB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Xtime_diff_to_millis2_xtime_get
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 531285432-0
                                                                                                                                                                                                                                                                        • Opcode ID: 3e8cb1c0501ad089ea6b6cc6f45962ba37e5e2d583b418bca81a1d4536d45afa
                                                                                                                                                                                                                                                                        • Instruction ID: 325c3eba16affce458b6b8e632ee3058a28986cfb61f63dd27fd34990ab6efb5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e8cb1c0501ad089ea6b6cc6f45962ba37e5e2d583b418bca81a1d4536d45afa
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9213271A00129AFDF00EFA4ED829BEB7F9EF48714F201015F501B7261DB709D059BA0
                                                                                                                                                                                                                                                                        Function 00E4F35F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2201850154.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201829502.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201850154.0000000000E72000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201913361.0000000000E79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201930952.0000000000E7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2201952792.0000000000E87000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202064904.0000000000FE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202083616.0000000000FE5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202106108.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202123118.0000000000FFE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202143196.0000000001007000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202181548.0000000001010000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202200451.0000000001011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202217449.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202233721.0000000001013000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202261988.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202282374.000000000101F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202300879.0000000001020000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202385444.0000000001023000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202435292.0000000001040000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202471173.000000000104C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202504360.0000000001062000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202523208.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202540612.000000000106E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202558201.0000000001073000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202574747.0000000001074000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202593630.0000000001078000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202620576.0000000001087000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202647260.000000000108B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202674668.0000000001096000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202697679.0000000001097000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202716393.0000000001098000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202743246.000000000109F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202765921.00000000010A0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202794524.00000000010A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202818762.00000000010A6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202850400.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202917759.0000000001114000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202937034.0000000001115000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202955133.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202970594.000000000111E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2202990177.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2203006306.000000000112D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_e10000_file.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ___free_lconv_mon
                                                                                                                                                                                                                                                                        • String ID: 8"$`'
                                                                                                                                                                                                                                                                        • API String ID: 3903695350-1436819768
                                                                                                                                                                                                                                                                        • Opcode ID: bc107a34c253060b43b5aa8b48b753531edf4934ea09561a059545d498b0dcec
                                                                                                                                                                                                                                                                        • Instruction ID: 6013dcb0dee6902358a682f9d3b96c63d848426e753e6da4ac3231e3e6826a7e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc107a34c253060b43b5aa8b48b753531edf4934ea09561a059545d498b0dcec
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E313932A00201DFEB21AE39E845B5B73E8EF4476EF14A439F459E7595DE70EC808A15

                                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                                        Execution Coverage:1%
                                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                                                                        Total number of Nodes:1967
                                                                                                                                                                                                                                                                        Total number of Limit Nodes:9
                                                                                                                                                                                                                                                                        execution_graph 9949 19a418 9951 19a420 shared_ptr 9949->9951 9950 19a93f 9953 1c6c6a RtlAllocateHeap 9950->9953 9951->9950 9952 19a4f3 shared_ptr 9951->9952 9955 1a80c0 RtlAllocateHeap 9952->9955 9954 19a944 9953->9954 9956 1c6c6a RtlAllocateHeap 9954->9956 9957 19a903 9955->9957 9958 19a949 9956->9958 9959 1c6c6a RtlAllocateHeap 9958->9959 9960 19a94e 9959->9960 9961 1c6c6a RtlAllocateHeap 9960->9961 9962 19a953 Sleep CreateMutexA 9961->9962 9963 19a98e 9962->9963 9964 191010 9967 1ad64e 9964->9967 9970 1ad621 9967->9970 9971 1ad630 9970->9971 9972 1ad637 9970->9972 9976 1c988e 9971->9976 9979 1c98fa 9972->9979 9975 19101a 9977 1c98fa RtlAllocateHeap 9976->9977 9978 1c98a0 9977->9978 9978->9975 9982 1c9630 9979->9982 9981 1c992b 9981->9975 9983 1c963c __cftof 9982->9983 9986 1c968b 9983->9986 9985 1c9657 9985->9981 9987 1c96a7 9986->9987 9989 1c971e __dosmaperr 9986->9989 9988 1c96fe 9987->9988 9987->9989 9996 1cedf6 9987->9996 9988->9989 9991 1cedf6 RtlAllocateHeap 9988->9991 9989->9985 9993 1c9714 9991->9993 9992 1c96f4 9994 1cadf5 ___free_lconv_mon RtlAllocateHeap 9992->9994 9995 1cadf5 ___free_lconv_mon RtlAllocateHeap 9993->9995 9994->9988 9995->9989 9997 1cee1e 9996->9997 9998 1cee03 9996->9998 9999 1cee2d 9997->9999 10005 1d4fdc 9997->10005 9998->9997 10000 1cee0f 9998->10000 10012 1d500f 9999->10012 10002 1c75f6 __dosmaperr RtlAllocateHeap 10000->10002 10004 1cee14 __cftof 10002->10004 10004->9992 10006 1d4ffc 10005->10006 10007 1d4fe7 10005->10007 10006->9999 10008 1c75f6 __dosmaperr RtlAllocateHeap 10007->10008 10009 1d4fec 10008->10009 10010 1c6c5a __cftof RtlAllocateHeap 10009->10010 10011 1d4ff7 10010->10011 10011->9999 10013 1d501c 10012->10013 10014 1d5027 10012->10014 10021 1cb04b 10013->10021 10016 1d502f 10014->10016 10020 1d5038 __dosmaperr 10014->10020 10017 1cadf5 ___free_lconv_mon RtlAllocateHeap 10016->10017 10018 1d5024 10017->10018 10018->10004 10019 1c75f6 __dosmaperr RtlAllocateHeap 10019->10018 10020->10018 10020->10019 10023 1cb059 __dosmaperr 10021->10023 10022 1c75f6 __dosmaperr RtlAllocateHeap 10024 1cb087 10022->10024 10023->10022 10023->10024 10024->10018 10033 191000 10034 1ad64e RtlAllocateHeap 10033->10034 10035 19100a 10034->10035 10066 192e00 10067 192e28 10066->10067 10070 1ac68b 10067->10070 10073 1ac3d5 10070->10073 10072 192e33 10074 1ac3eb 10073->10074 10075 1ac3e1 10073->10075 10074->10072 10076 1ac3be 10075->10076 10078 1ac39e 10075->10078 10086 1acd0a 10076->10086 10078->10074 10082 1accd5 10078->10082 10079 1ac3d0 10079->10072 10083 1acce3 InitializeCriticalSectionEx 10082->10083 10085 1ac3b7 10082->10085 10083->10085 10085->10072 10087 1acd1f RtlInitializeConditionVariable 10086->10087 10087->10079 9706 1cd82f 9709 1cd83c __dosmaperr 9706->9709 9707 1cd867 RtlAllocateHeap 9708 1cd87a __dosmaperr 9707->9708 9707->9709 9709->9707 9709->9708 9710 1c6629 9713 1c64c7 9710->9713 9716 1c64d5 __cftof 9713->9716 9714 1c6520 9716->9714 9718 1c652b 9716->9718 9717 1c652a 9724 1ca302 GetPEB 9718->9724 9720 1c6535 9721 1c653a GetPEB 9720->9721 9723 1c654a __cftof 9720->9723 9721->9723 9722 1c6562 ExitProcess 9723->9722 9725 1ca31c __cftof 9724->9725 9725->9720 10101 191020 10102 1a80c0 RtlAllocateHeap 10101->10102 10103 191031 10102->10103 10104 1ad64e RtlAllocateHeap 10103->10104 10105 19103b 10104->10105 10144 1abe50 10147 1abd8b 10144->10147 10146 1abe66 Concurrency::cancel_current_task std::_Throw_future_error 10148 1922e0 std::invalid_argument::invalid_argument RtlAllocateHeap 10147->10148 10149 1abd9f 10148->10149 10149->10146 9726 19a856 9727 19a870 9726->9727 9734 19a892 shared_ptr 9726->9734 9728 19a94e 9727->9728 9727->9734 9735 1c6c6a 9728->9735 9731 19a953 Sleep CreateMutexA 9733 19a98e 9731->9733 9732 19a903 9738 1a80c0 9734->9738 9753 1c6bf6 9735->9753 9737 1c6c79 __cftof 9742 1a80de 9738->9742 9743 1a8104 9738->9743 9739 1a81ee 9912 1a9270 9739->9912 9741 1a81f3 9915 192480 9741->9915 9742->9732 9743->9739 9745 1a8158 9743->9745 9746 1a817d 9743->9746 9745->9741 9907 1ad3e2 9745->9907 9748 1ad3e2 RtlAllocateHeap 9746->9748 9750 1a8169 __cftof 9746->9750 9748->9750 9751 1c6c6a RtlAllocateHeap 9750->9751 9752 1a81d0 shared_ptr 9750->9752 9751->9739 9752->9732 9759 1ca7c8 9753->9759 9755 1c6c01 __cftof 9756 1c6c0f 9755->9756 9757 1c6bf6 __cftof RtlAllocateHeap 9755->9757 9756->9737 9758 1c6c66 9757->9758 9758->9737 9760 1ca7d2 __dosmaperr 9759->9760 9762 1ca7eb 9760->9762 9770 1cd82f 9760->9770 9762->9755 9763 1ca813 __dosmaperr 9764 1ca81b __dosmaperr 9763->9764 9765 1ca853 9763->9765 9774 1cadf5 9764->9774 9778 1ca49f 9765->9778 9769 1cadf5 ___free_lconv_mon RtlAllocateHeap 9769->9762 9773 1cd83c __dosmaperr 9770->9773 9771 1cd867 RtlAllocateHeap 9772 1cd87a __dosmaperr 9771->9772 9771->9773 9772->9763 9773->9771 9773->9772 9775 1cae00 9774->9775 9777 1cae1b __dosmaperr 9774->9777 9775->9777 9782 1c75f6 9775->9782 9777->9762 9779 1ca50d __dosmaperr 9778->9779 9785 1ca445 9779->9785 9781 1ca536 9781->9769 9783 1ca7c8 __dosmaperr RtlAllocateHeap 9782->9783 9784 1c75fb 9783->9784 9784->9777 9786 1ca451 __cftof 9785->9786 9789 1ca626 9786->9789 9788 1ca473 __dosmaperr 9788->9781 9790 1ca635 __dosmaperr 9789->9790 9791 1ca65c __dosmaperr 9789->9791 9790->9791 9793 1cf35f 9790->9793 9791->9788 9794 1cf3df 9793->9794 9798 1cf375 9793->9798 9795 1cf42d 9794->9795 9797 1cadf5 ___free_lconv_mon RtlAllocateHeap 9794->9797 9861 1cf4d0 9795->9861 9799 1cf401 9797->9799 9798->9794 9800 1cf3a8 9798->9800 9805 1cadf5 ___free_lconv_mon RtlAllocateHeap 9798->9805 9801 1cadf5 ___free_lconv_mon RtlAllocateHeap 9799->9801 9802 1cf3ca 9800->9802 9809 1cadf5 ___free_lconv_mon RtlAllocateHeap 9800->9809 9803 1cf414 9801->9803 9804 1cadf5 ___free_lconv_mon RtlAllocateHeap 9802->9804 9808 1cadf5 ___free_lconv_mon RtlAllocateHeap 9803->9808 9810 1cf3d4 9804->9810 9807 1cf39d 9805->9807 9806 1cf43b 9811 1cf49b 9806->9811 9820 1cadf5 RtlAllocateHeap ___free_lconv_mon 9806->9820 9821 1cef3c 9807->9821 9813 1cf422 9808->9813 9814 1cf3bf 9809->9814 9815 1cadf5 ___free_lconv_mon RtlAllocateHeap 9810->9815 9816 1cadf5 ___free_lconv_mon RtlAllocateHeap 9811->9816 9818 1cadf5 ___free_lconv_mon RtlAllocateHeap 9813->9818 9849 1cf03a 9814->9849 9815->9794 9817 1cf4a1 9816->9817 9817->9791 9818->9795 9820->9806 9822 1cef4d 9821->9822 9848 1cf036 9821->9848 9823 1cef5e 9822->9823 9824 1cadf5 ___free_lconv_mon RtlAllocateHeap 9822->9824 9825 1cef70 9823->9825 9826 1cadf5 ___free_lconv_mon RtlAllocateHeap 9823->9826 9824->9823 9827 1cef82 9825->9827 9828 1cadf5 ___free_lconv_mon RtlAllocateHeap 9825->9828 9826->9825 9829 1cef94 9827->9829 9830 1cadf5 ___free_lconv_mon RtlAllocateHeap 9827->9830 9828->9827 9831 1cefa6 9829->9831 9832 1cadf5 ___free_lconv_mon RtlAllocateHeap 9829->9832 9830->9829 9833 1cefb8 9831->9833 9834 1cadf5 ___free_lconv_mon RtlAllocateHeap 9831->9834 9832->9831 9835 1cefca 9833->9835 9836 1cadf5 ___free_lconv_mon RtlAllocateHeap 9833->9836 9834->9833 9837 1cadf5 ___free_lconv_mon RtlAllocateHeap 9835->9837 9839 1cefdc 9835->9839 9836->9835 9837->9839 9838 1cefee 9841 1cf000 9838->9841 9842 1cadf5 ___free_lconv_mon RtlAllocateHeap 9838->9842 9839->9838 9840 1cadf5 ___free_lconv_mon RtlAllocateHeap 9839->9840 9840->9838 9843 1cf012 9841->9843 9844 1cadf5 ___free_lconv_mon RtlAllocateHeap 9841->9844 9842->9841 9845 1cf024 9843->9845 9846 1cadf5 ___free_lconv_mon RtlAllocateHeap 9843->9846 9844->9843 9847 1cadf5 ___free_lconv_mon RtlAllocateHeap 9845->9847 9845->9848 9846->9845 9847->9848 9848->9800 9850 1cf09f 9849->9850 9852 1cf047 9849->9852 9850->9802 9851 1cf057 9854 1cf069 9851->9854 9855 1cadf5 ___free_lconv_mon RtlAllocateHeap 9851->9855 9852->9851 9853 1cadf5 ___free_lconv_mon RtlAllocateHeap 9852->9853 9853->9851 9856 1cf07b 9854->9856 9857 1cadf5 ___free_lconv_mon RtlAllocateHeap 9854->9857 9855->9854 9858 1cf08d 9856->9858 9859 1cadf5 ___free_lconv_mon RtlAllocateHeap 9856->9859 9857->9856 9858->9850 9860 1cadf5 ___free_lconv_mon RtlAllocateHeap 9858->9860 9859->9858 9860->9850 9862 1cf4dd 9861->9862 9863 1cf4fc 9861->9863 9862->9863 9867 1cf0db 9862->9867 9863->9806 9866 1cadf5 ___free_lconv_mon RtlAllocateHeap 9866->9863 9868 1cf1b9 9867->9868 9869 1cf0ec 9867->9869 9868->9866 9903 1cf0a3 9869->9903 9872 1cf0a3 __dosmaperr RtlAllocateHeap 9873 1cf0ff 9872->9873 9874 1cf0a3 __dosmaperr RtlAllocateHeap 9873->9874 9875 1cf10a 9874->9875 9876 1cf0a3 __dosmaperr RtlAllocateHeap 9875->9876 9877 1cf115 9876->9877 9878 1cf0a3 __dosmaperr RtlAllocateHeap 9877->9878 9879 1cf123 9878->9879 9880 1cadf5 ___free_lconv_mon RtlAllocateHeap 9879->9880 9881 1cf12e 9880->9881 9882 1cadf5 ___free_lconv_mon RtlAllocateHeap 9881->9882 9883 1cf139 9882->9883 9884 1cadf5 ___free_lconv_mon RtlAllocateHeap 9883->9884 9885 1cf144 9884->9885 9886 1cf0a3 __dosmaperr RtlAllocateHeap 9885->9886 9887 1cf152 9886->9887 9888 1cf0a3 __dosmaperr RtlAllocateHeap 9887->9888 9889 1cf160 9888->9889 9890 1cf0a3 __dosmaperr RtlAllocateHeap 9889->9890 9891 1cf171 9890->9891 9892 1cf0a3 __dosmaperr RtlAllocateHeap 9891->9892 9893 1cf17f 9892->9893 9894 1cf0a3 __dosmaperr RtlAllocateHeap 9893->9894 9895 1cf18d 9894->9895 9896 1cadf5 ___free_lconv_mon RtlAllocateHeap 9895->9896 9897 1cf198 9896->9897 9898 1cadf5 ___free_lconv_mon RtlAllocateHeap 9897->9898 9899 1cf1a3 9898->9899 9900 1cadf5 ___free_lconv_mon RtlAllocateHeap 9899->9900 9901 1cf1ae 9900->9901 9902 1cadf5 ___free_lconv_mon RtlAllocateHeap 9901->9902 9902->9868 9904 1cf0d6 9903->9904 9905 1cf0c6 9903->9905 9904->9872 9905->9904 9906 1cadf5 ___free_lconv_mon RtlAllocateHeap 9905->9906 9906->9905 9908 192480 Concurrency::cancel_current_task __dosmaperr ___std_exception_copy 9907->9908 9911 1ad401 Concurrency::cancel_current_task 9908->9911 9919 1c38af 9908->9919 9911->9750 9940 1ac1b9 9912->9940 9916 19248e Concurrency::cancel_current_task 9915->9916 9917 1c38af ___std_exception_copy RtlAllocateHeap 9916->9917 9918 1924c3 9917->9918 9920 1924c3 9919->9920 9922 1c38bc ___std_exception_copy 9919->9922 9920->9750 9921 1c38e9 9934 1c8ba3 9921->9934 9922->9920 9922->9921 9925 1ca1f1 9922->9925 9926 1ca1fe 9925->9926 9927 1ca20c 9925->9927 9926->9927 9930 1ca223 9926->9930 9928 1c75f6 __dosmaperr RtlAllocateHeap 9927->9928 9933 1ca214 9928->9933 9931 1ca21e 9930->9931 9932 1c75f6 __dosmaperr RtlAllocateHeap 9930->9932 9931->9921 9932->9933 9937 1c6c5a 9933->9937 9935 1cadf5 ___free_lconv_mon RtlAllocateHeap 9934->9935 9936 1c8bbb 9935->9936 9936->9920 9938 1c6bf6 __cftof RtlAllocateHeap 9937->9938 9939 1c6c66 9938->9939 9939->9931 9943 1ac123 9940->9943 9942 1ac1ca Concurrency::cancel_current_task 9946 1922e0 9943->9946 9945 1ac135 9945->9942 9947 1c38af ___std_exception_copy RtlAllocateHeap 9946->9947 9948 192317 __floor_pentium4 9947->9948 9948->9945 10150 1c6a44 10151 1c6a5c 10150->10151 10152 1c6a52 10150->10152 10168 1c698d 10151->10168 10163 1cb655 10152->10163 10155 1c6a76 10171 1c68ed 10155->10171 10156 1c6a59 10159 1c6a8a 10161 1cadf5 ___free_lconv_mon RtlAllocateHeap 10159->10161 10162 1c6aa8 10159->10162 10160 1cb655 RtlAllocateHeap 10160->10159 10161->10162 10164 1cb662 10163->10164 10165 1cb679 10164->10165 10174 1c75c0 10164->10174 10165->10156 10182 1c690a 10168->10182 10170 1c699f 10170->10155 10377 1c683b 10171->10377 10179 1c75e3 10174->10179 10176 1c75cb __dosmaperr 10177 1c75f6 __dosmaperr RtlAllocateHeap 10176->10177 10178 1c75de 10177->10178 10178->10156 10180 1ca7c8 __dosmaperr RtlAllocateHeap 10179->10180 10181 1c75e8 10180->10181 10181->10176 10183 1c692a 10182->10183 10184 1c6921 10182->10184 10183->10184 10190 1ca671 10183->10190 10184->10170 10191 1ca67b __dosmaperr 10190->10191 10192 1cd82f __dosmaperr RtlAllocateHeap 10191->10192 10194 1ca694 10191->10194 10196 1ca6bc __dosmaperr 10192->10196 10193 1ca6c4 __dosmaperr 10199 1cadf5 ___free_lconv_mon RtlAllocateHeap 10193->10199 10195 1c694a 10194->10195 10212 1c8bec 10194->10212 10204 1cb5fb 10195->10204 10196->10193 10198 1ca6fc 10196->10198 10201 1ca49f __dosmaperr RtlAllocateHeap 10198->10201 10199->10194 10202 1ca707 10201->10202 10203 1cadf5 ___free_lconv_mon RtlAllocateHeap 10202->10203 10203->10194 10205 1cb60e 10204->10205 10206 1c6960 10204->10206 10205->10206 10245 1cf5ab 10205->10245 10208 1cb628 10206->10208 10209 1cb63b 10208->10209 10211 1cb650 10208->10211 10209->10211 10258 1ce6b1 10209->10258 10211->10184 10213 1c8bf1 __cftof 10212->10213 10215 1c8bfc __cftof 10213->10215 10218 1cd634 10213->10218 10239 1c65ed 10215->10239 10219 1cd640 __cftof 10218->10219 10220 1ca7c8 __dosmaperr RtlAllocateHeap 10219->10220 10225 1cd667 __cftof 10219->10225 10226 1cd66d __cftof 10219->10226 10220->10225 10221 1cd6b2 10222 1c75f6 __dosmaperr RtlAllocateHeap 10221->10222 10223 1cd6b7 10222->10223 10224 1c6c5a __cftof RtlAllocateHeap 10223->10224 10238 1cd69c 10224->10238 10225->10221 10225->10226 10225->10238 10227 1cd81b __dosmaperr 10226->10227 10228 1cd726 10226->10228 10230 1cd751 __cftof 10226->10230 10229 1c65ed __cftof 3 API calls 10227->10229 10228->10230 10242 1cd62b 10228->10242 10232 1cd82e 10229->10232 10233 1ca671 __cftof 4 API calls 10230->10233 10236 1cd7a5 10230->10236 10230->10238 10233->10236 10235 1cd62b __cftof 4 API calls 10235->10230 10237 1ca671 __cftof 4 API calls 10236->10237 10236->10238 10237->10238 10238->10215 10240 1c64c7 __cftof 3 API calls 10239->10240 10241 1c65fe 10240->10241 10243 1ca671 __cftof 4 API calls 10242->10243 10244 1cd630 10243->10244 10244->10235 10246 1cf5b7 __cftof 10245->10246 10247 1ca671 __cftof 4 API calls 10246->10247 10248 1cf5c0 __cftof 10247->10248 10251 1cf606 10248->10251 10254 1cf62c 10248->10254 10250 1cf5ef __cftof 10250->10251 10252 1c8bec __cftof 4 API calls 10250->10252 10251->10206 10253 1cf62b 10252->10253 10255 1cf647 10254->10255 10256 1cf63a __dosmaperr 10254->10256 10255->10250 10256->10255 10257 1cf35f __dosmaperr RtlAllocateHeap 10256->10257 10257->10255 10259 1ca671 __cftof 4 API calls 10258->10259 10260 1ce6bb 10259->10260 10263 1ce5c9 10260->10263 10262 1ce6c1 10262->10211 10267 1ce5d5 __cftof 10263->10267 10264 1ce5f6 10264->10262 10265 1ce5ef __cftof 10265->10264 10266 1c8bec __cftof 4 API calls 10265->10266 10268 1ce668 10266->10268 10267->10265 10270 1cadf5 ___free_lconv_mon RtlAllocateHeap 10267->10270 10269 1ce6a4 10268->10269 10274 1ca72e 10268->10274 10269->10262 10270->10265 10275 1ca739 __dosmaperr 10274->10275 10276 1ca745 10275->10276 10278 1cd82f __dosmaperr RtlAllocateHeap 10275->10278 10277 1c8bec __cftof 4 API calls 10276->10277 10280 1ca7be 10276->10280 10279 1ca7c7 10277->10279 10281 1ca769 __dosmaperr 10278->10281 10288 1ce4b0 10280->10288 10282 1ca7a5 10281->10282 10283 1ca771 __dosmaperr 10281->10283 10285 1ca49f __dosmaperr RtlAllocateHeap 10282->10285 10284 1cadf5 ___free_lconv_mon RtlAllocateHeap 10283->10284 10284->10276 10286 1ca7b0 10285->10286 10287 1cadf5 ___free_lconv_mon RtlAllocateHeap 10286->10287 10287->10276 10289 1ce5c9 __cftof 4 API calls 10288->10289 10290 1ce4c3 10289->10290 10307 1ce259 10290->10307 10293 1ce4dc 10293->10269 10294 1cb04b __cftof RtlAllocateHeap 10295 1ce4ed 10294->10295 10296 1ce51f 10295->10296 10310 1ce6c4 10295->10310 10298 1cadf5 ___free_lconv_mon RtlAllocateHeap 10296->10298 10300 1ce52d 10298->10300 10299 1ce512 10301 1ce51a 10299->10301 10304 1ce535 __cftof 10299->10304 10300->10269 10302 1c75f6 __dosmaperr RtlAllocateHeap 10301->10302 10302->10296 10303 1ce561 10303->10296 10315 1ce14b 10303->10315 10304->10303 10305 1cadf5 ___free_lconv_mon RtlAllocateHeap 10304->10305 10305->10303 10308 1c690a __cftof 4 API calls 10307->10308 10309 1ce26b 10308->10309 10309->10293 10309->10294 10311 1ce259 __cftof 4 API calls 10310->10311 10314 1ce6e4 __cftof 10311->10314 10312 1ce75a __cftof __floor_pentium4 10312->10299 10314->10312 10319 1ce32f 10314->10319 10316 1ce157 __cftof 10315->10316 10356 1ce198 10316->10356 10318 1ce16e __cftof 10318->10296 10321 1ce357 10319->10321 10326 1ce420 __floor_pentium4 10319->10326 10321->10326 10327 1cf1bf 10321->10327 10322 1ce3d7 10334 1d4dfe 10322->10334 10325 1d4dfe __cftof 4 API calls 10325->10326 10326->10312 10328 1c690a __cftof 4 API calls 10327->10328 10329 1cf1df __cftof 10328->10329 10330 1cb04b __cftof RtlAllocateHeap 10329->10330 10331 1cf29d __floor_pentium4 10329->10331 10333 1cf232 __cftof 10329->10333 10330->10333 10331->10322 10339 1cf2c2 10333->10339 10335 1c690a __cftof 4 API calls 10334->10335 10336 1d4e11 10335->10336 10343 1d4c14 10336->10343 10338 1ce3f8 10338->10325 10340 1cf2ce 10339->10340 10341 1cf2df 10339->10341 10340->10341 10342 1cadf5 ___free_lconv_mon RtlAllocateHeap 10340->10342 10341->10331 10342->10341 10345 1d4c2f __cftof 10343->10345 10344 1d4dd8 __floor_pentium4 10344->10338 10345->10344 10346 1cb04b __cftof RtlAllocateHeap 10345->10346 10348 1d4c98 __cftof 10345->10348 10346->10348 10347 1cf2c2 __freea RtlAllocateHeap 10347->10344 10349 1cb04b __cftof RtlAllocateHeap 10348->10349 10352 1d4d5e __cftof 10348->10352 10355 1d4d14 __cftof 10348->10355 10349->10352 10350 1d4dc9 10351 1cf2c2 __freea RtlAllocateHeap 10350->10351 10351->10355 10352->10350 10353 1d4df5 10352->10353 10354 1cf2c2 __freea RtlAllocateHeap 10353->10354 10354->10355 10355->10347 10363 1cbac8 10356->10363 10358 1ce1ba 10359 1cbac8 __cftof RtlAllocateHeap 10358->10359 10360 1ce1d9 10359->10360 10361 1ce200 10360->10361 10362 1cadf5 ___free_lconv_mon RtlAllocateHeap 10360->10362 10361->10318 10362->10361 10364 1cbad9 10363->10364 10368 1cbad5 __cftof 10363->10368 10365 1cbae0 10364->10365 10369 1cbaf3 __cftof 10364->10369 10366 1c75f6 __dosmaperr RtlAllocateHeap 10365->10366 10367 1cbae5 10366->10367 10370 1c6c5a __cftof RtlAllocateHeap 10367->10370 10368->10358 10369->10368 10371 1cbb2a 10369->10371 10372 1cbb21 10369->10372 10370->10368 10371->10368 10374 1c75f6 __dosmaperr RtlAllocateHeap 10371->10374 10373 1c75f6 __dosmaperr RtlAllocateHeap 10372->10373 10375 1cbb26 10373->10375 10374->10375 10376 1c6c5a __cftof RtlAllocateHeap 10375->10376 10376->10368 10378 1c6849 10377->10378 10379 1c6863 10377->10379 10390 1c69cc 10378->10390 10381 1c6889 __cftof 10379->10381 10382 1c686a 10379->10382 10385 1c689f __cftof 10381->10385 10386 1c69e6 RtlAllocateHeap 10381->10386 10384 1c6853 10382->10384 10394 1c69e6 10382->10394 10384->10159 10384->10160 10385->10384 10387 1c75c0 __dosmaperr RtlAllocateHeap 10385->10387 10386->10385 10388 1c68ab 10387->10388 10389 1c75f6 __dosmaperr RtlAllocateHeap 10388->10389 10389->10384 10391 1c69df 10390->10391 10392 1c69d7 10390->10392 10391->10384 10393 1cadf5 ___free_lconv_mon RtlAllocateHeap 10392->10393 10393->10391 10395 1c69cc RtlAllocateHeap 10394->10395 10396 1c69f4 10395->10396 10399 1c6a25 10396->10399 10400 1cb04b __cftof RtlAllocateHeap 10399->10400 10401 1c6a05 10400->10401 10401->10384 10480 193440 10485 192b30 10480->10485 10482 19344f Concurrency::cancel_current_task 10483 1c38af ___std_exception_copy RtlAllocateHeap 10482->10483 10484 193483 10483->10484 10486 1c38af ___std_exception_copy RtlAllocateHeap 10485->10486 10487 192b68 __floor_pentium4 10486->10487 10487->10482 10435 193840 10439 19385f 10435->10439 10443 1938f6 10435->10443 10436 193920 10477 1a91e0 10436->10477 10438 193925 10439->10436 10441 19391b 10439->10441 10442 1938cd shared_ptr 10439->10442 10439->10443 10444 1c6c6a RtlAllocateHeap 10441->10444 10445 1a7d50 10442->10445 10444->10436 10446 1a7dcb 10445->10446 10447 1a7d62 10445->10447 10450 192480 RtlAllocateHeap 10446->10450 10448 1a7d9c 10447->10448 10449 1a7d6d 10447->10449 10452 1a7db9 10448->10452 10455 1ad3e2 RtlAllocateHeap 10448->10455 10449->10446 10451 1a7d74 10449->10451 10453 1a7d7a 10450->10453 10454 1ad3e2 RtlAllocateHeap 10451->10454 10452->10443 10456 1c6c6a RtlAllocateHeap 10453->10456 10458 1a7d83 10453->10458 10454->10453 10457 1a7da6 10455->10457 10464 1a7dd5 10456->10464 10457->10443 10458->10443 10459 1a7f20 10460 1a9270 RtlAllocateHeap 10459->10460 10473 1a7e91 __cftof 10460->10473 10461 1a7e01 10461->10443 10462 1c6c6a RtlAllocateHeap 10472 1a7f2a __cftof 10462->10472 10463 1a7f1b 10465 192480 RtlAllocateHeap 10463->10465 10464->10459 10464->10461 10464->10463 10466 1a7e80 10464->10466 10467 1a7ea7 10464->10467 10465->10459 10466->10463 10468 1a7e8b 10466->10468 10470 1ad3e2 RtlAllocateHeap 10467->10470 10467->10473 10469 1ad3e2 RtlAllocateHeap 10468->10469 10469->10473 10470->10473 10471 1a7f61 shared_ptr 10471->10443 10472->10471 10474 1c6c6a RtlAllocateHeap 10472->10474 10473->10462 10475 1a7f02 shared_ptr 10473->10475 10476 1a7f7c 10474->10476 10475->10443 10478 1ac1b9 RtlAllocateHeap 10477->10478 10479 1a91ea 10478->10479 10479->10438 10498 193c47 10499 193c51 10498->10499 10502 193c5f 10499->10502 10514 1932d0 10499->10514 10500 193c68 10502->10500 10533 193810 10502->10533 10537 1ac6ac 10514->10537 10516 193314 10517 19336b 10516->10517 10520 19333c __Mtx_unlock 10516->10520 10540 1abd4c 10516->10540 10543 1ac26a 10517->10543 10521 1ac26a 5 API calls 10520->10521 10522 193350 __floor_pentium4 10520->10522 10523 193377 10521->10523 10522->10502 10524 1ac6ac GetSystemTimePreciseAsFileTime 10523->10524 10525 1933af 10524->10525 10526 1ac26a 5 API calls 10525->10526 10527 1933b6 __Cnd_broadcast 10525->10527 10526->10527 10528 1ac26a 5 API calls 10527->10528 10529 1933d7 __Mtx_unlock 10527->10529 10528->10529 10530 1ac26a 5 API calls 10529->10530 10531 1933eb 10529->10531 10532 19340e 10530->10532 10531->10502 10532->10502 10534 19381c 10533->10534 10658 192440 10534->10658 10547 1ac452 10537->10547 10539 1ac6b9 10539->10516 10564 1abb72 10540->10564 10542 1abd5c 10542->10516 10544 1ac292 10543->10544 10545 1ac274 10543->10545 10544->10544 10545->10544 10570 1ac297 10545->10570 10548 1ac4a8 10547->10548 10550 1ac47a __floor_pentium4 10547->10550 10548->10550 10553 1acf6b 10548->10553 10550->10539 10551 1ac4fd __Xtime_diff_to_millis2 10551->10550 10552 1acf6b _xtime_get GetSystemTimePreciseAsFileTime 10551->10552 10552->10551 10554 1acf7a 10553->10554 10556 1acf87 __aulldvrm 10553->10556 10554->10556 10557 1acf44 10554->10557 10556->10551 10560 1acbea 10557->10560 10561 1acbfb GetSystemTimePreciseAsFileTime 10560->10561 10562 1acc07 10560->10562 10561->10562 10562->10556 10565 1abb9c 10564->10565 10566 1acf6b _xtime_get GetSystemTimePreciseAsFileTime 10565->10566 10569 1abba4 __Xtime_diff_to_millis2 __floor_pentium4 10565->10569 10567 1abbcf __Xtime_diff_to_millis2 10566->10567 10568 1acf6b _xtime_get GetSystemTimePreciseAsFileTime 10567->10568 10567->10569 10568->10569 10569->10542 10575 192ae0 10570->10575 10572 1ac2ae 10582 1ac1ff 10572->10582 10574 1ac2bf Concurrency::cancel_current_task 10590 1abedf 10575->10590 10577 192af4 __cftof 10577->10572 10578 1ca671 __cftof 4 API calls 10577->10578 10581 1c6ccc 10578->10581 10579 1c8bec __cftof 4 API calls 10580 1c6cf6 10579->10580 10581->10579 10583 1ac20b __EH_prolog3_GS 10582->10583 10584 1a80c0 RtlAllocateHeap 10583->10584 10585 1ac23d 10584->10585 10597 1926b0 10585->10597 10587 1ac252 10614 1a7970 10587->10614 10589 1ac25a 10589->10574 10593 1acc31 10590->10593 10594 1acc3f InitOnceExecuteOnce 10593->10594 10595 1abef2 10593->10595 10594->10595 10595->10577 10619 1a7a00 10597->10619 10599 192702 10600 192725 10599->10600 10633 1a8f40 10599->10633 10602 1a8f40 RtlAllocateHeap 10600->10602 10603 19278e 10600->10603 10602->10603 10604 1927ed shared_ptr 10603->10604 10606 1928b8 10603->10606 10605 1c38af ___std_exception_copy RtlAllocateHeap 10604->10605 10609 19284b 10605->10609 10608 1c6c6a RtlAllocateHeap 10606->10608 10607 19287a shared_ptr __floor_pentium4 10607->10587 10608->10609 10609->10607 10610 1c6c6a RtlAllocateHeap 10609->10610 10611 1928c2 10610->10611 10654 1c3912 10611->10654 10613 1928e5 shared_ptr 10613->10587 10615 1a797b 10614->10615 10616 1a7996 shared_ptr 10614->10616 10615->10616 10617 1c6c6a RtlAllocateHeap 10615->10617 10616->10589 10618 1a79ba 10617->10618 10620 1a7a26 10619->10620 10621 1a7a2d 10620->10621 10622 1a7a62 10620->10622 10623 1a7a81 10620->10623 10621->10599 10624 1a7ab9 10622->10624 10625 1a7a69 10622->10625 10626 1ad3e2 RtlAllocateHeap 10623->10626 10630 1a7a76 __cftof 10623->10630 10627 192480 RtlAllocateHeap 10624->10627 10628 1ad3e2 RtlAllocateHeap 10625->10628 10626->10630 10629 1a7a6f 10627->10629 10628->10629 10629->10630 10631 1c6c6a RtlAllocateHeap 10629->10631 10630->10599 10632 1a7ac3 __Cnd_destroy_in_situ shared_ptr __Mtx_destroy_in_situ __Cnd_unregister_at_thread_exit 10631->10632 10632->10599 10634 1a8f6b 10633->10634 10635 1a908e 10633->10635 10639 1a8fdc 10634->10639 10640 1a8fb2 10634->10640 10636 1a9270 RtlAllocateHeap 10635->10636 10637 1a9093 10636->10637 10638 192480 RtlAllocateHeap 10637->10638 10646 1a8fc3 __cftof 10638->10646 10642 1ad3e2 RtlAllocateHeap 10639->10642 10639->10646 10640->10637 10641 1a8fbd 10640->10641 10644 1ad3e2 RtlAllocateHeap 10641->10644 10642->10646 10643 1c6c6a RtlAllocateHeap 10645 1a909d 10643->10645 10644->10646 10647 1a90b8 10645->10647 10650 192480 Concurrency::cancel_current_task 10645->10650 10651 1a90be 10645->10651 10646->10643 10649 1a904c shared_ptr __cftof 10646->10649 10648 1ad3e2 RtlAllocateHeap 10647->10648 10648->10651 10649->10600 10652 1c38af ___std_exception_copy RtlAllocateHeap 10650->10652 10651->10600 10653 1924c3 10652->10653 10653->10600 10655 1c391f 10654->10655 10656 1c3926 10654->10656 10657 1c8ba3 ___std_exception_copy RtlAllocateHeap 10655->10657 10656->10613 10657->10656 10661 1ab5d6 10658->10661 10660 192472 10663 1ab5f1 Concurrency::cancel_current_task 10661->10663 10662 1c8bec __cftof 4 API calls 10664 1ab69f 10662->10664 10663->10662 10665 1ab658 __cftof __floor_pentium4 10663->10665 10665->10660 10675 19cc79 10676 19cc84 shared_ptr 10675->10676 10677 19ccda shared_ptr __floor_pentium4 10676->10677 10678 1c6c6a RtlAllocateHeap 10676->10678 10679 19ce36 10678->10679 10680 1a7a00 RtlAllocateHeap 10679->10680 10681 19ce92 10680->10681 10685 195c10 10681->10685 10683 19ce9d 10736 19ca70 10683->10736 10756 195940 10685->10756 10687 195c54 10759 194b30 10687->10759 10690 195d17 shared_ptr __floor_pentium4 10690->10683 10691 1c6c6a RtlAllocateHeap 10692 195d47 __cftof 10691->10692 10692->10692 10693 1a80c0 RtlAllocateHeap 10692->10693 10695 195e3e 10693->10695 10694 195ea6 shared_ptr __floor_pentium4 10694->10683 10695->10694 10696 1c6c6a RtlAllocateHeap 10695->10696 10697 195ed2 10696->10697 10698 195ffe shared_ptr __floor_pentium4 10697->10698 10699 1c6c6a RtlAllocateHeap 10697->10699 10698->10683 10700 19601b 10699->10700 10701 1a80c0 RtlAllocateHeap 10700->10701 10702 196089 10701->10702 10703 1a80c0 RtlAllocateHeap 10702->10703 10704 1960bd 10703->10704 10705 1a80c0 RtlAllocateHeap 10704->10705 10706 1960ee 10705->10706 10707 1a80c0 RtlAllocateHeap 10706->10707 10708 19611f 10707->10708 10709 1a80c0 RtlAllocateHeap 10708->10709 10711 196150 10709->10711 10710 1965b1 shared_ptr __floor_pentium4 10710->10683 10711->10710 10712 1c6c6a RtlAllocateHeap 10711->10712 10713 1965dc 10712->10713 10714 1a7a00 RtlAllocateHeap 10713->10714 10715 1966a6 10714->10715 10716 195c10 4 API calls 10715->10716 10717 1966ac 10716->10717 10718 195c10 4 API calls 10717->10718 10719 1966b1 10718->10719 10766 1922c0 10719->10766 10721 1966c9 shared_ptr 10722 1a7a00 RtlAllocateHeap 10721->10722 10723 196732 10722->10723 10724 195c10 4 API calls 10723->10724 10725 19673d 10724->10725 10726 1922c0 4 API calls 10725->10726 10735 196757 shared_ptr 10726->10735 10727 196852 10728 1a80c0 RtlAllocateHeap 10727->10728 10730 19689c 10728->10730 10729 1a7a00 RtlAllocateHeap 10729->10735 10731 1a80c0 RtlAllocateHeap 10730->10731 10733 1968e3 shared_ptr __floor_pentium4 10731->10733 10732 195c10 4 API calls 10732->10735 10733->10683 10734 1922c0 4 API calls 10734->10735 10735->10727 10735->10729 10735->10732 10735->10734 10737 19cadd 10736->10737 10738 1a7a00 RtlAllocateHeap 10737->10738 10755 19cc87 10737->10755 10739 19ccee 10738->10739 10741 195c10 4 API calls 10739->10741 10740 19ccda shared_ptr __floor_pentium4 10742 19ccf9 10741->10742 11111 199030 10742->11111 10743 1c6c6a RtlAllocateHeap 10745 19ce36 10743->10745 10747 1a7a00 RtlAllocateHeap 10745->10747 10746 19cd0d 11124 1a8220 10746->11124 10749 19ce92 10747->10749 10751 195c10 4 API calls 10749->10751 10750 19cd1f 10754 1a8f40 RtlAllocateHeap 10750->10754 10752 19ce9d 10751->10752 10753 19ca70 4 API calls 10752->10753 10754->10755 10755->10740 10755->10743 10769 1a7f80 10756->10769 10758 19596b 10758->10687 10760 194dc2 10759->10760 10761 194b92 10759->10761 10760->10690 10760->10691 10764 194ce5 10761->10764 10784 1c6da6 10761->10784 10789 1a8ca0 10761->10789 10763 1a8ca0 RtlAllocateHeap 10763->10764 10764->10760 10764->10763 10825 192280 10766->10825 10770 1a7f9e __cftof 10769->10770 10772 1a7fc7 10769->10772 10770->10758 10771 1a80b3 10773 1a9270 RtlAllocateHeap 10771->10773 10772->10771 10776 1a801b 10772->10776 10777 1a803e 10772->10777 10774 1a80b8 10773->10774 10775 192480 RtlAllocateHeap 10774->10775 10778 1a80bd 10775->10778 10776->10774 10779 1ad3e2 RtlAllocateHeap 10776->10779 10780 1ad3e2 RtlAllocateHeap 10777->10780 10782 1a802c __cftof 10777->10782 10779->10782 10780->10782 10781 1c6c6a RtlAllocateHeap 10781->10771 10782->10781 10783 1a8095 shared_ptr 10782->10783 10783->10758 10785 1c6db4 10784->10785 10786 1c6dc2 10784->10786 10804 1c6d19 10785->10804 10786->10761 10790 1a8dc9 10789->10790 10791 1a8cc3 10789->10791 10792 1a9270 RtlAllocateHeap 10790->10792 10795 1a8d2f 10791->10795 10796 1a8d05 10791->10796 10793 1a8dce 10792->10793 10794 192480 RtlAllocateHeap 10793->10794 10802 1a8d16 __cftof 10794->10802 10798 1ad3e2 RtlAllocateHeap 10795->10798 10795->10802 10796->10793 10797 1a8d10 10796->10797 10800 1ad3e2 RtlAllocateHeap 10797->10800 10798->10802 10799 1c6c6a RtlAllocateHeap 10801 1a8dd8 10799->10801 10800->10802 10802->10799 10803 1a8d8b shared_ptr __cftof 10802->10803 10803->10761 10805 1c690a __cftof 4 API calls 10804->10805 10806 1c6d2c 10805->10806 10809 1c6d52 10806->10809 10808 1c6d3d 10808->10761 10810 1c6d8f 10809->10810 10811 1c6d5f 10809->10811 10820 1cb67d 10810->10820 10812 1c6d6e 10811->10812 10815 1cb6a1 10811->10815 10812->10808 10816 1c690a __cftof 4 API calls 10815->10816 10817 1cb6be 10816->10817 10818 1cf1bf __cftof 4 API calls 10817->10818 10819 1cb6ce __floor_pentium4 10817->10819 10818->10819 10819->10812 10821 1ca671 __cftof 4 API calls 10820->10821 10822 1cb688 10821->10822 10823 1cb5fb __cftof 4 API calls 10822->10823 10824 1cb698 10823->10824 10824->10812 10826 192296 10825->10826 10829 1c87f8 10826->10829 10832 1c7609 10829->10832 10831 1922a4 10831->10721 10833 1c7649 10832->10833 10834 1c7631 10832->10834 10833->10834 10835 1c7651 10833->10835 10836 1c75f6 __dosmaperr RtlAllocateHeap 10834->10836 10837 1c690a __cftof 4 API calls 10835->10837 10838 1c7636 10836->10838 10841 1c7661 10837->10841 10839 1c6c5a __cftof RtlAllocateHeap 10838->10839 10840 1c7641 __floor_pentium4 10839->10840 10840->10831 10845 1c7bc4 10841->10845 10861 1c868d 10845->10861 10847 1c76e8 10858 1c7a19 10847->10858 10848 1c7be4 10849 1c75f6 __dosmaperr RtlAllocateHeap 10848->10849 10850 1c7be9 10849->10850 10851 1c6c5a __cftof RtlAllocateHeap 10850->10851 10851->10847 10852 1c7bd5 10852->10847 10852->10848 10868 1c7d15 10852->10868 10876 1c8168 10852->10876 10881 1c7dc2 10852->10881 10886 1c7de8 10852->10886 10915 1c7f36 10852->10915 10859 1cadf5 ___free_lconv_mon RtlAllocateHeap 10858->10859 10860 1c7a29 10859->10860 10860->10840 10862 1c86a5 10861->10862 10863 1c8692 10861->10863 10862->10852 10864 1c75f6 __dosmaperr RtlAllocateHeap 10863->10864 10865 1c8697 10864->10865 10866 1c6c5a __cftof RtlAllocateHeap 10865->10866 10867 1c86a2 10866->10867 10867->10852 10937 1c7d34 10868->10937 10870 1c7d1a 10871 1c7d31 10870->10871 10872 1c75f6 __dosmaperr RtlAllocateHeap 10870->10872 10871->10852 10873 1c7d23 10872->10873 10874 1c6c5a __cftof RtlAllocateHeap 10873->10874 10875 1c7d2e 10874->10875 10875->10852 10877 1c8171 10876->10877 10879 1c8178 10876->10879 10946 1c7b50 10877->10946 10879->10852 10882 1c7dcb 10881->10882 10883 1c7dd2 10881->10883 10884 1c7b50 4 API calls 10882->10884 10883->10852 10885 1c7dd1 10884->10885 10885->10852 10887 1c7def 10886->10887 10888 1c7e09 10886->10888 10889 1c7f4f 10887->10889 10890 1c7fbb 10887->10890 10906 1c7e39 10887->10906 10891 1c75f6 __dosmaperr RtlAllocateHeap 10888->10891 10888->10906 10900 1c7f92 10889->10900 10902 1c7f5b 10889->10902 10894 1c8001 10890->10894 10895 1c7fc2 10890->10895 10890->10900 10892 1c7e25 10891->10892 10893 1c6c5a __cftof RtlAllocateHeap 10892->10893 10897 1c7e30 10893->10897 11005 1c8604 10894->11005 10896 1c7fc7 10895->10896 10910 1c7f69 10895->10910 10896->10900 10901 1c7fcc 10896->10901 10897->10852 10899 1c7fa2 10914 1c7f8b 10899->10914 10976 1c8390 10899->10976 10913 1c7f77 10900->10913 10900->10914 10990 1c8420 10900->10990 10905 1c7fdf 10901->10905 10908 1c7fd1 10901->10908 10902->10899 10902->10910 10902->10913 10984 1c8571 10905->10984 10906->10852 10908->10914 10980 1c85e5 10908->10980 10910->10913 10910->10914 10999 1c8241 10910->10999 10913->10914 11008 1c86ea 10913->11008 10914->10852 10916 1c7f4f 10915->10916 10917 1c7fbb 10915->10917 10918 1c7f92 10916->10918 10923 1c7f5b 10916->10923 10917->10918 10919 1c8001 10917->10919 10920 1c7fc2 10917->10920 10924 1c8420 RtlAllocateHeap 10918->10924 10935 1c7f77 10918->10935 10936 1c7f8b 10918->10936 10922 1c8604 RtlAllocateHeap 10919->10922 10921 1c7fc7 10920->10921 10928 1c7f69 10920->10928 10921->10918 10926 1c7fcc 10921->10926 10922->10935 10927 1c7fa2 10923->10927 10923->10928 10923->10935 10924->10935 10925 1c8241 4 API calls 10925->10935 10929 1c7fdf 10926->10929 10930 1c7fd1 10926->10930 10932 1c8390 4 API calls 10927->10932 10927->10936 10928->10925 10928->10935 10928->10936 10931 1c8571 RtlAllocateHeap 10929->10931 10933 1c85e5 RtlAllocateHeap 10930->10933 10930->10936 10931->10935 10932->10935 10933->10935 10934 1c86ea 4 API calls 10934->10936 10935->10934 10935->10936 10936->10852 10940 1c7d5e 10937->10940 10939 1c7d40 10939->10870 10942 1c7d80 10940->10942 10941 1c7db7 10941->10939 10942->10941 10943 1c75f6 __dosmaperr RtlAllocateHeap 10942->10943 10944 1c7dac 10943->10944 10945 1c6c5a __cftof RtlAllocateHeap 10944->10945 10945->10941 10947 1c7b67 10946->10947 10948 1c7b62 10946->10948 10954 1c8ab6 10947->10954 10949 1c75f6 __dosmaperr RtlAllocateHeap 10948->10949 10949->10947 10952 1c75f6 __dosmaperr RtlAllocateHeap 10953 1c7b99 10952->10953 10953->10852 10955 1c8ad1 10954->10955 10958 1c8868 10955->10958 10959 1c868d RtlAllocateHeap 10958->10959 10962 1c887a 10959->10962 10960 1c88b3 10963 1c690a __cftof GetPEB ExitProcess GetPEB RtlAllocateHeap 10960->10963 10961 1c888f 10964 1c75f6 __dosmaperr RtlAllocateHeap 10961->10964 10962->10960 10962->10961 10975 1c7b85 10962->10975 10968 1c88bf 10963->10968 10965 1c8894 10964->10965 10967 1c6c5a __cftof RtlAllocateHeap 10965->10967 10966 1c6d52 GetPEB ExitProcess GetPEB RtlAllocateHeap 10966->10968 10967->10975 10968->10966 10969 1c88ee 10968->10969 10971 1c8a8d RtlAllocateHeap 10969->10971 10972 1c8958 10969->10972 10970 1c8a8d RtlAllocateHeap 10973 1c8a20 10970->10973 10971->10972 10972->10970 10974 1c75f6 __dosmaperr RtlAllocateHeap 10973->10974 10973->10975 10974->10975 10975->10952 10975->10953 10978 1c83ab 10976->10978 10977 1c83dd 10977->10913 10978->10977 11012 1cc88e 10978->11012 10981 1c85f1 10980->10981 10982 1c8420 RtlAllocateHeap 10981->10982 10983 1c8603 10982->10983 10983->10913 10985 1c8586 10984->10985 10986 1c75f6 __dosmaperr RtlAllocateHeap 10985->10986 10989 1c859a 10985->10989 10987 1c858f 10986->10987 10988 1c6c5a __cftof RtlAllocateHeap 10987->10988 10988->10989 10989->10913 10991 1c8433 10990->10991 10992 1c844e 10991->10992 10994 1c8465 10991->10994 10993 1c75f6 __dosmaperr RtlAllocateHeap 10992->10993 10995 1c8453 10993->10995 10998 1c845e 10994->10998 11036 1c779f 10994->11036 10996 1c6c5a __cftof RtlAllocateHeap 10995->10996 10996->10998 10998->10913 11000 1c825a 10999->11000 11001 1c779f RtlAllocateHeap 11000->11001 11002 1c8297 11001->11002 11049 1cd3c8 11002->11049 11004 1c830d 11004->10913 11004->11004 11006 1c8420 RtlAllocateHeap 11005->11006 11007 1c861b 11006->11007 11007->10913 11009 1c875d __floor_pentium4 11008->11009 11010 1c8707 11008->11010 11009->10914 11010->11009 11011 1cc88e __cftof 4 API calls 11010->11011 11011->11010 11015 1cc733 11012->11015 11016 1cc743 11015->11016 11017 1cc76d 11016->11017 11018 1cc781 11016->11018 11027 1cc748 11016->11027 11020 1c75f6 __dosmaperr RtlAllocateHeap 11017->11020 11019 1c690a __cftof GetPEB ExitProcess GetPEB RtlAllocateHeap 11018->11019 11021 1cc78c 11019->11021 11022 1cc772 11020->11022 11023 1cc79c 11021->11023 11024 1cc7c8 __cftof 11021->11024 11025 1c6c5a __cftof RtlAllocateHeap 11022->11025 11026 1d2b7d __cftof RtlAllocateHeap 11023->11026 11029 1cc7de __cftof 11024->11029 11035 1cc815 __cftof 11024->11035 11025->11027 11028 1cc7b1 11026->11028 11027->10977 11028->11027 11031 1c75f6 __dosmaperr RtlAllocateHeap 11028->11031 11029->11027 11030 1c75f6 __dosmaperr RtlAllocateHeap 11029->11030 11030->11027 11031->11027 11032 1c75f6 __dosmaperr RtlAllocateHeap 11033 1cc87f 11032->11033 11034 1c6c5a __cftof RtlAllocateHeap 11033->11034 11034->11027 11035->11027 11035->11032 11037 1c77b4 11036->11037 11038 1c77c3 11036->11038 11039 1c75f6 __dosmaperr RtlAllocateHeap 11037->11039 11040 1c77b9 11038->11040 11041 1cb04b __cftof RtlAllocateHeap 11038->11041 11039->11040 11040->10998 11042 1c77ea 11041->11042 11043 1c7801 11042->11043 11046 1c7a33 11042->11046 11045 1cadf5 ___free_lconv_mon RtlAllocateHeap 11043->11045 11045->11040 11047 1cadf5 ___free_lconv_mon RtlAllocateHeap 11046->11047 11048 1c7a42 11047->11048 11048->11043 11050 1cd3ee 11049->11050 11051 1cd3d8 11049->11051 11050->11051 11056 1cd400 11050->11056 11052 1c75f6 __dosmaperr RtlAllocateHeap 11051->11052 11053 1cd3dd 11052->11053 11054 1c6c5a __cftof RtlAllocateHeap 11053->11054 11055 1cd3e7 11054->11055 11055->11004 11057 1cd439 11056->11057 11058 1cd467 11056->11058 11070 1cd2ff 11057->11070 11059 1cd485 11058->11059 11060 1cd48a 11058->11060 11062 1cd4ae 11059->11062 11063 1cd4e4 11059->11063 11075 1ccbdf 11060->11075 11064 1cd4cc 11062->11064 11065 1cd4b3 11062->11065 11103 1ccef8 11063->11103 11096 1cd0e2 11064->11096 11086 1cd23e 11065->11086 11071 1cd315 11070->11071 11072 1cd320 11070->11072 11071->11055 11073 1ca1f1 ___std_exception_copy RtlAllocateHeap 11072->11073 11074 1cd37b __cftof 11073->11074 11074->11055 11076 1ccbf1 11075->11076 11077 1c690a __cftof GetPEB ExitProcess GetPEB RtlAllocateHeap 11076->11077 11078 1ccc05 11077->11078 11079 1ccc0d 11078->11079 11080 1ccc21 11078->11080 11081 1c75f6 __dosmaperr RtlAllocateHeap 11079->11081 11082 1ccef8 GetPEB ExitProcess GetPEB RtlAllocateHeap 11080->11082 11085 1ccc1c __alldvrm __cftof _strrchr 11080->11085 11083 1ccc12 11081->11083 11082->11085 11084 1c6c5a __cftof RtlAllocateHeap 11083->11084 11084->11085 11085->11055 11087 1d31a8 RtlAllocateHeap 11086->11087 11088 1cd26c 11087->11088 11089 1d2c47 RtlAllocateHeap 11088->11089 11090 1cd29e 11089->11090 11091 1cd2a5 11090->11091 11092 1cd2de 11090->11092 11094 1cd2b7 11090->11094 11091->11055 11093 1ccf9a GetPEB ExitProcess GetPEB RtlAllocateHeap 11092->11093 11093->11091 11095 1cd16d GetPEB ExitProcess GetPEB RtlAllocateHeap 11094->11095 11095->11091 11097 1d31a8 RtlAllocateHeap 11096->11097 11098 1cd10f 11097->11098 11099 1d2c47 RtlAllocateHeap 11098->11099 11100 1cd147 11099->11100 11101 1cd14e 11100->11101 11102 1cd16d GetPEB ExitProcess GetPEB RtlAllocateHeap 11100->11102 11101->11055 11102->11101 11104 1ccf10 11103->11104 11105 1d31a8 RtlAllocateHeap 11104->11105 11106 1ccf29 11105->11106 11107 1d2c47 RtlAllocateHeap 11106->11107 11108 1ccf6e 11107->11108 11109 1ccf75 11108->11109 11110 1ccf9a GetPEB ExitProcess GetPEB RtlAllocateHeap 11108->11110 11109->11055 11110->11109 11112 19907f 11111->11112 11113 1a7a00 RtlAllocateHeap 11112->11113 11114 19908f 11113->11114 11115 195c10 4 API calls 11114->11115 11116 19909a 11115->11116 11117 1a80c0 RtlAllocateHeap 11116->11117 11118 1990ec 11117->11118 11119 1a8220 RtlAllocateHeap 11118->11119 11120 1990fe shared_ptr 11119->11120 11121 19917e shared_ptr __floor_pentium4 11120->11121 11122 1c6c6a RtlAllocateHeap 11120->11122 11121->10746 11123 1991aa 11122->11123 11125 1a8248 11124->11125 11126 1a8292 11124->11126 11125->11126 11127 1a8251 11125->11127 11129 1a8f40 RtlAllocateHeap 11126->11129 11131 1a82a1 11126->11131 11132 1a9280 11127->11132 11129->11131 11130 1a825a 11130->10750 11131->10750 11133 1a9294 11132->11133 11136 1a92a5 __cftof 11133->11136 11137 1a94e0 11133->11137 11135 1a932b 11135->11130 11136->11130 11138 1a950b 11137->11138 11139 1a9619 11137->11139 11143 1a9579 11138->11143 11144 1a9552 11138->11144 11140 1a9270 RtlAllocateHeap 11139->11140 11141 1a961e 11140->11141 11142 192480 RtlAllocateHeap 11141->11142 11150 1a9563 __cftof 11142->11150 11148 1ad3e2 RtlAllocateHeap 11143->11148 11143->11150 11144->11141 11145 1a955d 11144->11145 11147 1ad3e2 RtlAllocateHeap 11145->11147 11146 1c6c6a RtlAllocateHeap 11149 1a9628 shared_ptr 11146->11149 11147->11150 11148->11150 11149->11135 11150->11146 11151 1a95e1 shared_ptr __cftof 11150->11151 11151->11135 11161 194276 11166 192410 11161->11166 11165 19428f 11167 192424 11166->11167 11181 1ab52d 11167->11181 11170 193ce0 11171 193d42 11170->11171 11173 193d52 11170->11173 11172 1a7d50 RtlAllocateHeap 11171->11172 11172->11173 11174 1ad3e2 RtlAllocateHeap 11173->11174 11175 193d84 11174->11175 11176 1a7d50 RtlAllocateHeap 11175->11176 11178 193e03 11175->11178 11176->11178 11177 193e9b shared_ptr 11177->11165 11178->11177 11179 1c6c6a RtlAllocateHeap 11178->11179 11180 193ec1 11179->11180 11189 1c3aed 11181->11189 11184 1ab5a5 ___std_exception_copy 11196 1ab1ad 11184->11196 11185 1ab598 11192 1aaf56 11185->11192 11188 19242a 11188->11170 11200 1c4f29 11189->11200 11193 1aaf9f ___std_exception_copy 11192->11193 11194 1aafb2 shared_ptr 11193->11194 11213 1ab39f 11193->11213 11194->11188 11197 1ab1d8 11196->11197 11198 1ab1e1 shared_ptr 11196->11198 11199 1ab39f 5 API calls 11197->11199 11198->11188 11199->11198 11208 1c4f37 11200->11208 11202 1ab555 11202->11184 11202->11185 11202->11188 11203 1c4f2e __cftof 11203->11202 11204 1cd634 __cftof 4 API calls 11203->11204 11207 1c8bfc __cftof 11203->11207 11204->11207 11205 1c65ed __cftof 3 API calls 11206 1c8c2f 11205->11206 11207->11205 11209 1c4f40 11208->11209 11211 1c4f43 11208->11211 11209->11203 11210 1c4f77 11210->11203 11211->11210 11212 1c8ba3 ___std_exception_copy RtlAllocateHeap 11211->11212 11212->11210 11214 1abedf InitOnceExecuteOnce 11213->11214 11215 1ab3e1 11214->11215 11216 1ab3e8 11215->11216 11224 1c6cbb 11215->11224 11216->11194 11225 1c6cc7 __cftof 11224->11225 11226 1ca671 __cftof 4 API calls 11225->11226 11229 1c6ccc 11226->11229 11227 1c8bec __cftof 4 API calls 11228 1c6cf6 11227->11228 11229->11227 11270 195a9e 11273 195a61 11270->11273 11271 1a80c0 RtlAllocateHeap 11271->11273 11273->11270 11273->11271 11274 1a7a00 RtlAllocateHeap 11273->11274 11275 195bdd __floor_pentium4 11273->11275 11276 195730 11273->11276 11274->11273 11277 195799 shared_ptr 11276->11277 11282 195860 shared_ptr 11276->11282 11278 19592a 11277->11278 11279 1a80c0 RtlAllocateHeap 11277->11279 11277->11282 11285 1a8200 11278->11285 11279->11277 11281 195900 shared_ptr __floor_pentium4 11281->11273 11282->11281 11283 1c6c6a RtlAllocateHeap 11282->11283 11284 195934 11283->11284 11288 1ac1d9 11285->11288 11287 1a820a 11291 1ac15d 11288->11291 11290 1ac1ea Concurrency::cancel_current_task 11290->11287 11292 1922e0 std::invalid_argument::invalid_argument RtlAllocateHeap 11291->11292 11293 1ac16f 11292->11293 11293->11290 11301 193c8e 11302 193c98 11301->11302 11303 193cb4 11302->11303 11304 192410 5 API calls 11302->11304 11306 193810 4 API calls 11303->11306 11305 193ca5 11304->11305 11307 193ce0 RtlAllocateHeap 11305->11307 11308 193ccf 11306->11308 11307->11303 11309 193810 4 API calls 11308->11309 11310 193cdb 11309->11310 11311 1a7d50 RtlAllocateHeap 11310->11311 11312 193d52 11310->11312 11311->11312 11313 1ad3e2 RtlAllocateHeap 11312->11313 11314 193d84 11313->11314 11315 1a7d50 RtlAllocateHeap 11314->11315 11316 193e03 11314->11316 11315->11316 11317 193e9b shared_ptr 11316->11317 11318 1c6c6a RtlAllocateHeap 11316->11318 11319 193ec1 11318->11319 11360 1a8680 11361 1a86e0 11360->11361 11361->11361 11369 1a7760 11361->11369 11363 1a86f9 11364 1a8f40 RtlAllocateHeap 11363->11364 11365 1a8714 11363->11365 11364->11365 11366 1a8f40 RtlAllocateHeap 11365->11366 11368 1a8769 11365->11368 11367 1a87b1 11366->11367 11371 1a777b 11369->11371 11380 1a7864 shared_ptr __cftof 11369->11380 11370 1a78f1 11372 1a9270 RtlAllocateHeap 11370->11372 11371->11370 11375 1a77ea 11371->11375 11376 1a7811 11371->11376 11371->11380 11382 1a77fb __cftof 11371->11382 11373 1a78f6 11372->11373 11374 192480 RtlAllocateHeap 11373->11374 11377 1a78fb 11374->11377 11375->11373 11379 1ad3e2 RtlAllocateHeap 11375->11379 11378 1ad3e2 RtlAllocateHeap 11376->11378 11376->11382 11378->11382 11379->11382 11380->11363 11381 1c6c6a RtlAllocateHeap 11381->11370 11382->11380 11382->11381 11383 19a682 11384 19a68a shared_ptr 11383->11384 11385 19a75d shared_ptr 11384->11385 11386 19a949 11384->11386 11390 1a80c0 RtlAllocateHeap 11385->11390 11387 1c6c6a RtlAllocateHeap 11386->11387 11388 19a94e 11387->11388 11389 1c6c6a RtlAllocateHeap 11388->11389 11391 19a953 Sleep CreateMutexA 11389->11391 11392 19a903 11390->11392 11393 19a98e 11391->11393 11394 199ab8 11396 199acc 11394->11396 11397 199b08 11396->11397 11398 199b4b shared_ptr 11397->11398 11401 19a917 11397->11401 11399 199b59 11398->11399 11400 199b65 11398->11400 11406 1a80c0 RtlAllocateHeap 11399->11406 11402 1a7a00 RtlAllocateHeap 11400->11402 11404 19a953 Sleep CreateMutexA 11401->11404 11405 1c6c6a RtlAllocateHeap 11401->11405 11403 199b74 11402->11403 11407 195c10 4 API calls 11403->11407 11410 19a98e 11404->11410 11405->11404 11408 19a903 11406->11408 11409 199b7c 11407->11409 11423 198b30 11409->11423 11412 199b8d 11413 1a8220 RtlAllocateHeap 11412->11413 11414 199b9c 11413->11414 11415 1a7a00 RtlAllocateHeap 11414->11415 11416 199ca9 11415->11416 11417 195c10 4 API calls 11416->11417 11418 199cb1 11417->11418 11419 198b30 4 API calls 11418->11419 11420 199cc2 11419->11420 11421 1a8220 RtlAllocateHeap 11420->11421 11422 199cd1 11421->11422 11424 198b7c 11423->11424 11425 1a7a00 RtlAllocateHeap 11424->11425 11426 198b8c 11425->11426 11427 195c10 4 API calls 11426->11427 11428 198b97 11427->11428 11429 1a80c0 RtlAllocateHeap 11428->11429 11430 198be3 11429->11430 11431 1a80c0 RtlAllocateHeap 11430->11431 11432 198c35 11431->11432 11433 1a8220 RtlAllocateHeap 11432->11433 11436 198c47 shared_ptr 11433->11436 11434 198d01 shared_ptr __floor_pentium4 11434->11412 11435 1c6c6a RtlAllocateHeap 11437 198d2d 11435->11437 11436->11434 11436->11435 11438 1a7a00 RtlAllocateHeap 11437->11438 11439 198d8f 11438->11439 11440 195c10 4 API calls 11439->11440 11441 198d9a 11440->11441 11442 1a80c0 RtlAllocateHeap 11441->11442 11443 198dec 11442->11443 11444 1a8220 RtlAllocateHeap 11443->11444 11446 198dfe shared_ptr 11444->11446 11445 198e7e shared_ptr __floor_pentium4 11445->11412 11446->11445 11447 1c6c6a RtlAllocateHeap 11446->11447 11448 198eaa 11447->11448 11449 1a7a00 RtlAllocateHeap 11448->11449 11450 198f0f 11449->11450 11451 195c10 4 API calls 11450->11451 11452 198f1a 11451->11452 11453 1a80c0 RtlAllocateHeap 11452->11453 11454 198f6c 11453->11454 11455 1a8220 RtlAllocateHeap 11454->11455 11457 198f7e shared_ptr 11455->11457 11456 198ffe shared_ptr __floor_pentium4 11456->11412 11457->11456 11458 1c6c6a RtlAllocateHeap 11457->11458 11459 19902a 11458->11459 11460 1942b0 11463 193ac0 11460->11463 11462 1942bb shared_ptr 11464 193af9 11463->11464 11465 1c6c6a RtlAllocateHeap 11464->11465 11470 193b39 __Cnd_destroy_in_situ shared_ptr __Mtx_destroy_in_situ 11464->11470 11466 193be6 11465->11466 11468 1932d0 6 API calls 11466->11468 11469 193c38 11466->11469 11467 1932d0 6 API calls 11472 193c5f 11467->11472 11468->11469 11469->11467 11469->11472 11470->11462 11471 193c68 11471->11462 11472->11471 11473 193810 4 API calls 11472->11473 11474 193cdb 11473->11474 11475 1a7d50 RtlAllocateHeap 11474->11475 11476 193d52 11474->11476 11475->11476 11477 1ad3e2 RtlAllocateHeap 11476->11477 11478 193d84 11477->11478 11479 1a7d50 RtlAllocateHeap 11478->11479 11481 193e03 11478->11481 11479->11481 11480 193e9b shared_ptr 11480->11462 11481->11480 11482 1c6c6a RtlAllocateHeap 11481->11482 11483 193ec1 11482->11483 11484 195cad 11486 195caf 11484->11486 11485 195d17 shared_ptr __floor_pentium4 11486->11485 11487 1c6c6a RtlAllocateHeap 11486->11487 11488 195d47 __cftof 11487->11488 11488->11488 11489 1a80c0 RtlAllocateHeap 11488->11489 11491 195e3e 11489->11491 11490 195ea6 shared_ptr __floor_pentium4 11491->11490 11492 1c6c6a RtlAllocateHeap 11491->11492 11493 195ed2 11492->11493 11494 195ffe shared_ptr __floor_pentium4 11493->11494 11495 1c6c6a RtlAllocateHeap 11493->11495 11496 19601b 11495->11496 11497 1a80c0 RtlAllocateHeap 11496->11497 11498 196089 11497->11498 11499 1a80c0 RtlAllocateHeap 11498->11499 11500 1960bd 11499->11500 11501 1a80c0 RtlAllocateHeap 11500->11501 11502 1960ee 11501->11502 11503 1a80c0 RtlAllocateHeap 11502->11503 11504 19611f 11503->11504 11505 1a80c0 RtlAllocateHeap 11504->11505 11507 196150 11505->11507 11506 1965b1 shared_ptr __floor_pentium4 11507->11506 11508 1c6c6a RtlAllocateHeap 11507->11508 11509 1965dc 11508->11509 11510 1a7a00 RtlAllocateHeap 11509->11510 11511 1966a6 11510->11511 11512 195c10 4 API calls 11511->11512 11513 1966ac 11512->11513 11514 195c10 4 API calls 11513->11514 11515 1966b1 11514->11515 11516 1922c0 4 API calls 11515->11516 11517 1966c9 shared_ptr 11516->11517 11518 1a7a00 RtlAllocateHeap 11517->11518 11519 196732 11518->11519 11520 195c10 4 API calls 11519->11520 11521 19673d 11520->11521 11522 1922c0 4 API calls 11521->11522 11531 196757 shared_ptr 11522->11531 11523 196852 11524 1a80c0 RtlAllocateHeap 11523->11524 11526 19689c 11524->11526 11525 1a7a00 RtlAllocateHeap 11525->11531 11527 1a80c0 RtlAllocateHeap 11526->11527 11529 1968e3 shared_ptr __floor_pentium4 11527->11529 11528 195c10 4 API calls 11528->11531 11530 1922c0 4 API calls 11530->11531 11531->11523 11531->11525 11531->11528 11531->11530 11567 1920a0 11568 1ac68b __Mtx_init_in_situ 2 API calls 11567->11568 11569 1920ac 11568->11569 11570 1ad64e RtlAllocateHeap 11569->11570 11571 1920b6 11570->11571 11572 1934a0 11573 1934aa 11572->11573 11574 1934ca shared_ptr 11572->11574 11573->11574 11575 1c6c6a RtlAllocateHeap 11573->11575 11576 1934f2 Concurrency::cancel_current_task shared_ptr 11575->11576 11582 199adc 11590 199aea shared_ptr 11582->11590 11583 19a917 11584 19a953 Sleep CreateMutexA 11583->11584 11585 1c6c6a RtlAllocateHeap 11583->11585 11586 19a98e 11584->11586 11585->11584 11587 199b4b shared_ptr 11588 199b59 11587->11588 11589 199b65 11587->11589 11593 1a80c0 RtlAllocateHeap 11588->11593 11591 1a7a00 RtlAllocateHeap 11589->11591 11590->11583 11590->11587 11592 199b74 11591->11592 11594 195c10 4 API calls 11592->11594 11595 19a903 11593->11595 11596 199b7c 11594->11596 11597 198b30 4 API calls 11596->11597 11598 199b8d 11597->11598 11599 1a8220 RtlAllocateHeap 11598->11599 11600 199b9c 11599->11600 11601 1a7a00 RtlAllocateHeap 11600->11601 11602 199ca9 11601->11602 11603 195c10 4 API calls 11602->11603 11604 199cb1 11603->11604 11605 198b30 4 API calls 11604->11605 11606 199cc2 11605->11606 11607 1a8220 RtlAllocateHeap 11606->11607 11608 199cd1 11607->11608 11654 19e0c0 recv 11655 19e122 recv 11654->11655 11656 19e157 recv 11655->11656 11658 19e191 11656->11658 11657 19e2b3 __floor_pentium4 11658->11657 11659 1ac6ac GetSystemTimePreciseAsFileTime 11658->11659 11660 19e2ee 11659->11660 11661 1ac26a 5 API calls 11660->11661 11662 19e358 11661->11662 11663 192ec0 11664 192f7e GetCurrentThreadId 11663->11664 11665 192f06 11663->11665 11666 192f94 11664->11666 11667 192fef 11664->11667 11668 1ac6ac GetSystemTimePreciseAsFileTime 11665->11668 11666->11667 11674 1ac6ac GetSystemTimePreciseAsFileTime 11666->11674 11669 192f12 11668->11669 11670 192f1d 11669->11670 11671 19301e 11669->11671 11675 1ad3e2 RtlAllocateHeap 11670->11675 11678 192f30 __Mtx_unlock 11670->11678 11672 1ac26a 5 API calls 11671->11672 11673 193024 11672->11673 11676 1ac26a 5 API calls 11673->11676 11677 192fb9 11674->11677 11675->11678 11676->11677 11680 1ac26a 5 API calls 11677->11680 11681 192fc0 __Mtx_unlock 11677->11681 11678->11673 11679 192f6f 11678->11679 11679->11664 11679->11667 11680->11681 11682 1ac26a 5 API calls 11681->11682 11683 192fd8 __Cnd_broadcast 11681->11683 11682->11683 11683->11667 11684 1ac26a 5 API calls 11683->11684 11685 19303c 11684->11685 11686 1ac6ac GetSystemTimePreciseAsFileTime 11685->11686 11695 193080 shared_ptr __Mtx_unlock 11686->11695 11687 1931c5 11688 1ac26a 5 API calls 11687->11688 11689 1931cb 11688->11689 11690 1ac26a 5 API calls 11689->11690 11691 1931d1 11690->11691 11692 1ac26a 5 API calls 11691->11692 11693 193193 __Mtx_unlock 11692->11693 11694 1931a7 __floor_pentium4 11693->11694 11696 1ac26a 5 API calls 11693->11696 11695->11687 11695->11689 11695->11694 11698 193132 GetCurrentThreadId 11695->11698 11697 1931dd 11696->11697 11698->11694 11699 19313b 11698->11699 11699->11694 11700 1ac6ac GetSystemTimePreciseAsFileTime 11699->11700 11702 19315f 11700->11702 11701 1abd4c GetSystemTimePreciseAsFileTime 11701->11702 11702->11687 11702->11691 11702->11693 11702->11701 11703 1ad0c7 11704 1ad0d7 11703->11704 11705 1ad17f 11704->11705 11706 1ad17b RtlWakeAllConditionVariable 11704->11706 11707 1a9ef0 11708 1a9f0c 11707->11708 11709 1ac68b __Mtx_init_in_situ 2 API calls 11708->11709 11710 1a9f17 11709->11710 11711 1d44f2 11712 1d450c 11711->11712 11713 1d44ff 11711->11713 11715 1c75f6 __dosmaperr RtlAllocateHeap 11712->11715 11717 1d4518 11712->11717 11714 1c75f6 __dosmaperr RtlAllocateHeap 11713->11714 11716 1d4504 11714->11716 11718 1d4539 11715->11718 11719 1c6c5a __cftof RtlAllocateHeap 11718->11719 11719->11716 11720 196ae9 11723 196b01 11720->11723 11721 1a80c0 RtlAllocateHeap 11722 196bac 11721->11722 11724 1a9280 RtlAllocateHeap 11722->11724 11723->11721 11725 196bbd shared_ptr 11723->11725 11724->11725 11726 1a80c0 RtlAllocateHeap 11725->11726 11727 196ce3 shared_ptr __floor_pentium4 11726->11727 11776 19211c 11777 192126 11776->11777 11778 1ad64e RtlAllocateHeap 11777->11778 11779 192132 11778->11779 11783 192b10 11784 192b1a 11783->11784 11785 192b1c 11783->11785 11786 1ac26a 5 API calls 11785->11786 11787 192b22 11786->11787 11788 1a8510 11789 1a855f 11788->11789 11792 1a856c 11788->11792 11794 1a9d00 11789->11794 11791 1a85c4 11792->11791 11815 1aa060 11792->11815 11795 1a9e31 11794->11795 11798 1a9d25 11794->11798 11796 1a9270 RtlAllocateHeap 11795->11796 11809 1a9d8b __cftof 11796->11809 11797 1a9e2c 11802 192480 RtlAllocateHeap 11797->11802 11798->11797 11800 1a9d7a 11798->11800 11801 1a9da1 11798->11801 11799 1c6c6a RtlAllocateHeap 11806 1a9e3b 11799->11806 11800->11797 11803 1a9d85 11800->11803 11805 1ad3e2 RtlAllocateHeap 11801->11805 11801->11809 11802->11795 11804 1ad3e2 RtlAllocateHeap 11803->11804 11804->11809 11805->11809 11807 1a9e6a shared_ptr 11806->11807 11808 1c6c6a RtlAllocateHeap 11806->11808 11807->11792 11811 1a9e8e 11808->11811 11809->11799 11810 1a9dfc shared_ptr __cftof 11809->11810 11810->11792 11812 1a9ec0 shared_ptr 11811->11812 11813 1c6c6a RtlAllocateHeap 11811->11813 11812->11792 11814 1a9ee6 11813->11814 11816 1aa1b1 11815->11816 11819 1aa083 11815->11819 11817 1a9270 RtlAllocateHeap 11816->11817 11828 1aa0e4 __cftof 11817->11828 11818 1c6c6a RtlAllocateHeap 11827 1aa1bb shared_ptr 11818->11827 11820 1aa1ac 11819->11820 11822 1aa0fd 11819->11822 11823 1aa0d3 11819->11823 11821 192480 RtlAllocateHeap 11820->11821 11821->11816 11826 1ad3e2 RtlAllocateHeap 11822->11826 11822->11828 11823->11820 11824 1aa0de 11823->11824 11825 1ad3e2 RtlAllocateHeap 11824->11825 11825->11828 11826->11828 11827->11792 11828->11818 11829 1aa16c shared_ptr __cftof 11828->11829 11829->11792 11830 1ad111 11831 1ad122 11830->11831 11832 1ad12a 11831->11832 11834 1ad199 11831->11834 11835 1ad1c0 11834->11835 11836 1ad1a7 SleepConditionVariableCS 11834->11836 11835->11831 11836->11835 11889 196535 11891 196549 shared_ptr 11889->11891 11890 1c6c6a RtlAllocateHeap 11893 1965dc 11890->11893 11891->11890 11892 1965b1 shared_ptr __floor_pentium4 11891->11892 11894 1a7a00 RtlAllocateHeap 11893->11894 11895 1966a6 11894->11895 11896 195c10 4 API calls 11895->11896 11897 1966ac 11896->11897 11898 195c10 4 API calls 11897->11898 11899 1966b1 11898->11899 11900 1922c0 4 API calls 11899->11900 11901 1966c9 shared_ptr 11900->11901 11902 1a7a00 RtlAllocateHeap 11901->11902 11903 196732 11902->11903 11904 195c10 4 API calls 11903->11904 11905 19673d 11904->11905 11906 1922c0 4 API calls 11905->11906 11915 196757 shared_ptr 11906->11915 11907 196852 11908 1a80c0 RtlAllocateHeap 11907->11908 11910 19689c 11908->11910 11909 1a7a00 RtlAllocateHeap 11909->11915 11911 1a80c0 RtlAllocateHeap 11910->11911 11913 1968e3 shared_ptr __floor_pentium4 11911->11913 11912 195c10 4 API calls 11912->11915 11914 1922c0 4 API calls 11914->11915 11915->11907 11915->11909 11915->11912 11915->11914 11921 1c6729 11924 1c6672 11921->11924 11923 1c673b 11927 1c667e __cftof 11924->11927 11925 1c6685 11926 1c75f6 __dosmaperr RtlAllocateHeap 11925->11926 11928 1c668a 11926->11928 11927->11925 11929 1c66a5 11927->11929 11930 1c6c5a __cftof RtlAllocateHeap 11928->11930 11931 1c66aa 11929->11931 11932 1c66b7 11929->11932 11937 1c6695 11930->11937 11934 1c75f6 __dosmaperr RtlAllocateHeap 11931->11934 11938 1ca8c3 11932->11938 11934->11937 11935 1c66c0 11936 1c75f6 __dosmaperr RtlAllocateHeap 11935->11936 11935->11937 11936->11937 11937->11923 11939 1ca8cf __cftof 11938->11939 11942 1ca967 11939->11942 11941 1ca8ea 11941->11935 11946 1ca98a 11942->11946 11943 1cd82f __dosmaperr RtlAllocateHeap 11944 1ca9eb 11943->11944 11945 1cadf5 ___free_lconv_mon RtlAllocateHeap 11944->11945 11947 1ca9d0 11945->11947 11946->11943 11946->11947 11947->11941 11953 194120 11954 19416a 11953->11954 11956 1941b2 Concurrency::details::_ContextCallback::_CallInContext __floor_pentium4 11954->11956 11957 193ee0 11954->11957 11958 193f48 11957->11958 11960 193f1e 11957->11960 11962 193f58 11958->11962 11963 192c00 11958->11963 11960->11956 11962->11956 11964 1ad3e2 RtlAllocateHeap 11963->11964 11965 192c0e 11964->11965 11973 1ab847 11965->11973 11967 192c49 11967->11956 11968 192c42 11968->11967 11979 192c80 11968->11979 11970 192c58 11982 192560 11970->11982 11972 192c65 Concurrency::cancel_current_task 11974 1ab854 11973->11974 11978 1ab873 Concurrency::details::_Reschedule_chore 11973->11978 11985 1acb77 11974->11985 11976 1ab864 11976->11978 11987 1ab81e 11976->11987 11978->11968 11993 1ab7fb 11979->11993 11981 192cb2 shared_ptr 11981->11970 11983 1c38af ___std_exception_copy RtlAllocateHeap 11982->11983 11984 192597 __floor_pentium4 11983->11984 11984->11972 11986 1acb92 CreateThreadpoolWork 11985->11986 11986->11976 11989 1ab827 Concurrency::details::_Reschedule_chore 11987->11989 11991 1acdcc 11989->11991 11990 1ab841 11990->11978 11992 1acde1 TpPostWork 11991->11992 11992->11990 11994 1ab817 11993->11994 11995 1ab807 11993->11995 11994->11981 11995->11994 11997 1aca78 11995->11997 11998 1aca8d TpReleaseWork 11997->11998 11998->11994 12034 1a8320 12035 1a8339 12034->12035 12036 1a834d 12035->12036 12037 1a8f40 RtlAllocateHeap 12035->12037 12037->12036 12038 19215a 12043 1ac6fc 12038->12043 12041 1ad64e RtlAllocateHeap 12042 19216e 12041->12042 12044 1ac70c 12043->12044 12045 192164 12043->12045 12044->12045 12047 1acfbe 12044->12047 12045->12041 12048 1accd5 __Mtx_init_in_situ InitializeCriticalSectionEx 12047->12048 12049 1acfd0 12048->12049 12049->12044 12050 19a54d 12051 19a555 shared_ptr 12050->12051 12052 19a628 shared_ptr 12051->12052 12053 19a944 12051->12053 12056 1a80c0 RtlAllocateHeap 12052->12056 12054 1c6c6a RtlAllocateHeap 12053->12054 12055 19a949 12054->12055 12057 1c6c6a RtlAllocateHeap 12055->12057 12058 19a903 12056->12058 12059 19a94e 12057->12059 12060 1c6c6a RtlAllocateHeap 12059->12060 12061 19a953 Sleep CreateMutexA 12060->12061 12062 19a98e 12061->12062 12115 199f44 12120 199f4c shared_ptr 12115->12120 12116 19a92b 12118 19a953 Sleep CreateMutexA 12116->12118 12119 1c6c6a RtlAllocateHeap 12116->12119 12117 19a01f shared_ptr 12122 1a80c0 RtlAllocateHeap 12117->12122 12121 19a98e 12118->12121 12119->12118 12120->12116 12120->12117 12123 19a903 12122->12123 12124 193970 12125 1ac68b __Mtx_init_in_situ 2 API calls 12124->12125 12126 1939a7 12125->12126 12127 1ac68b __Mtx_init_in_situ 2 API calls 12126->12127 12128 1939e6 12127->12128 12129 192170 12130 1ac6fc InitializeCriticalSectionEx 12129->12130 12131 19217a 12130->12131 12132 1ad64e RtlAllocateHeap 12131->12132 12133 192184 12132->12133 12134 193770 12135 19379b 12134->12135 12136 1937cd shared_ptr 12135->12136 12137 1c6c6a RtlAllocateHeap 12135->12137 12138 19380f 12137->12138 12139 195f76 12141 195f81 shared_ptr 12139->12141 12140 195ffe shared_ptr __floor_pentium4 12141->12140 12142 1c6c6a RtlAllocateHeap 12141->12142 12143 19601b 12142->12143 12144 1a80c0 RtlAllocateHeap 12143->12144 12145 196089 12144->12145 12146 1a80c0 RtlAllocateHeap 12145->12146 12147 1960bd 12146->12147 12148 1a80c0 RtlAllocateHeap 12147->12148 12149 1960ee 12148->12149 12150 1a80c0 RtlAllocateHeap 12149->12150 12151 19611f 12150->12151 12152 1a80c0 RtlAllocateHeap 12151->12152 12154 196150 12152->12154 12153 1965b1 shared_ptr __floor_pentium4 12154->12153 12155 1c6c6a RtlAllocateHeap 12154->12155 12156 1965dc 12155->12156 12157 1a7a00 RtlAllocateHeap 12156->12157 12158 1966a6 12157->12158 12159 195c10 4 API calls 12158->12159 12160 1966ac 12159->12160 12161 195c10 4 API calls 12160->12161 12162 1966b1 12161->12162 12163 1922c0 4 API calls 12162->12163 12164 1966c9 shared_ptr 12163->12164 12165 1a7a00 RtlAllocateHeap 12164->12165 12166 196732 12165->12166 12167 195c10 4 API calls 12166->12167 12168 19673d 12167->12168 12169 1922c0 4 API calls 12168->12169 12176 196757 shared_ptr 12169->12176 12170 196852 12171 1a80c0 RtlAllocateHeap 12170->12171 12173 19689c 12171->12173 12172 1a7a00 RtlAllocateHeap 12172->12176 12174 1a80c0 RtlAllocateHeap 12173->12174 12177 1968e3 shared_ptr __floor_pentium4 12174->12177 12175 195c10 4 API calls 12175->12176 12176->12170 12176->12172 12176->12175 12178 1922c0 4 API calls 12176->12178 12178->12176 12222 193f9f 12223 193fad 12222->12223 12227 193fc5 12222->12227 12224 192410 5 API calls 12223->12224 12225 193fb6 12224->12225 12226 193ce0 RtlAllocateHeap 12225->12226 12226->12227 12231 192b90 12232 192bce 12231->12232 12233 1ab7fb TpReleaseWork 12232->12233 12234 192bdb shared_ptr __floor_pentium4 12233->12234 12250 198980 12259 1989d8 shared_ptr 12250->12259 12260 198aea 12250->12260 12251 1a7a00 RtlAllocateHeap 12251->12259 12252 195c10 4 API calls 12252->12259 12253 198b20 12254 1a8200 RtlAllocateHeap 12253->12254 12256 198b25 12254->12256 12255 1a80c0 RtlAllocateHeap 12255->12259 12257 1c6c6a RtlAllocateHeap 12256->12257 12258 198b2a 12257->12258 12259->12251 12259->12252 12259->12253 12259->12255 12259->12256 12259->12260 12289 1c8bbe 12290 1c8868 4 API calls 12289->12290 12291 1c8bdc 12290->12291 12292 19b7b1 12293 19b7be 12292->12293 12294 1a7a00 RtlAllocateHeap 12293->12294 12295 19b7f3 12294->12295 12296 1a7a00 RtlAllocateHeap 12295->12296 12297 19b80b 12296->12297 12298 1a7a00 RtlAllocateHeap 12297->12298 12299 19b823 12298->12299 12300 1a7a00 RtlAllocateHeap 12299->12300 12301 19b835 12300->12301 12306 1c67b7 12307 1c67c3 __cftof 12306->12307 12308 1c67cd 12307->12308 12311 1c67e2 12307->12311 12309 1c75f6 __dosmaperr RtlAllocateHeap 12308->12309 12310 1c67d2 12309->12310 12312 1c6c5a __cftof RtlAllocateHeap 12310->12312 12314 1c67dd 12311->12314 12315 1c6740 12311->12315 12312->12314 12316 1c674d 12315->12316 12317 1c6762 12315->12317 12318 1c75f6 __dosmaperr RtlAllocateHeap 12316->12318 12324 1c675d 12317->12324 12331 1ca038 12317->12331 12319 1c6752 12318->12319 12321 1c6c5a __cftof RtlAllocateHeap 12319->12321 12321->12324 12324->12314 12327 1c6785 12348 1caebb 12327->12348 12330 1cadf5 ___free_lconv_mon RtlAllocateHeap 12330->12324 12332 1c6777 12331->12332 12333 1ca050 12331->12333 12337 1cb00b 12332->12337 12333->12332 12334 1cafe4 RtlAllocateHeap 12333->12334 12335 1ca06e 12334->12335 12363 1d0439 12335->12363 12338 1cb022 12337->12338 12340 1c677f 12337->12340 12339 1cadf5 ___free_lconv_mon RtlAllocateHeap 12338->12339 12338->12340 12339->12340 12341 1cafe4 12340->12341 12342 1cb005 12341->12342 12343 1caff0 12341->12343 12342->12327 12344 1c75f6 __dosmaperr RtlAllocateHeap 12343->12344 12345 1caff5 12344->12345 12346 1c6c5a __cftof RtlAllocateHeap 12345->12346 12347 1cb000 12346->12347 12347->12327 12349 1caecc 12348->12349 12352 1caee1 12348->12352 12350 1c75e3 __dosmaperr RtlAllocateHeap 12349->12350 12353 1caed1 12350->12353 12351 1caf2a 12354 1c75e3 __dosmaperr RtlAllocateHeap 12351->12354 12352->12351 12356 1caf08 12352->12356 12355 1c75f6 __dosmaperr RtlAllocateHeap 12353->12355 12357 1caf2f 12354->12357 12360 1c678b 12355->12360 12381 1cae2f 12356->12381 12359 1c75f6 __dosmaperr RtlAllocateHeap 12357->12359 12361 1caf37 12359->12361 12360->12324 12360->12330 12362 1c6c5a __cftof RtlAllocateHeap 12361->12362 12362->12360 12364 1d0445 __cftof 12363->12364 12365 1d044d 12364->12365 12366 1d0465 12364->12366 12367 1c75e3 __dosmaperr RtlAllocateHeap 12365->12367 12368 1d0500 12366->12368 12375 1d0497 12366->12375 12369 1d0452 12367->12369 12370 1c75e3 __dosmaperr RtlAllocateHeap 12368->12370 12371 1c75f6 __dosmaperr RtlAllocateHeap 12369->12371 12372 1d0505 12370->12372 12379 1d045a 12371->12379 12373 1c75f6 __dosmaperr RtlAllocateHeap 12372->12373 12374 1d050d 12373->12374 12376 1c6c5a __cftof RtlAllocateHeap 12374->12376 12377 1c75f6 __dosmaperr RtlAllocateHeap 12375->12377 12375->12379 12376->12379 12378 1d04be 12377->12378 12380 1c75e3 __dosmaperr RtlAllocateHeap 12378->12380 12379->12332 12380->12379 12382 1cae3b __cftof 12381->12382 12383 1cae7b 12382->12383 12384 1cae70 12382->12384 12385 1c75f6 __dosmaperr RtlAllocateHeap 12383->12385 12388 1caf48 12384->12388 12387 1cae76 12385->12387 12387->12360 12399 1cc0de 12388->12399 12390 1caf58 12391 1caf90 12390->12391 12392 1caf5e 12390->12392 12393 1cc0de RtlAllocateHeap 12390->12393 12391->12392 12394 1cc0de RtlAllocateHeap 12391->12394 12395 1cafd8 12392->12395 12397 1c75c0 __dosmaperr RtlAllocateHeap 12392->12397 12396 1caf87 12393->12396 12394->12392 12395->12387 12398 1cc0de RtlAllocateHeap 12396->12398 12397->12395 12398->12391 12400 1cc0eb 12399->12400 12401 1cc100 12399->12401 12402 1c75e3 __dosmaperr RtlAllocateHeap 12400->12402 12403 1c75e3 __dosmaperr RtlAllocateHeap 12401->12403 12405 1cc125 12401->12405 12404 1cc0f0 12402->12404 12406 1cc130 12403->12406 12407 1c75f6 __dosmaperr RtlAllocateHeap 12404->12407 12405->12390 12408 1c75f6 __dosmaperr RtlAllocateHeap 12406->12408 12409 1cc0f8 12407->12409 12410 1cc138 12408->12410 12409->12390 12411 1c6c5a __cftof RtlAllocateHeap 12410->12411 12411->12409 12412 196db5 12413 196dc2 12412->12413 12414 196dca 12413->12414 12415 196df5 12413->12415 12416 1a80c0 RtlAllocateHeap 12414->12416 12417 1a80c0 RtlAllocateHeap 12415->12417 12418 196deb shared_ptr 12416->12418 12417->12418 12419 196ec1 shared_ptr 12418->12419 12420 1c6c6a RtlAllocateHeap 12418->12420 12421 196ee3 12420->12421 12471 199ba5 12472 199ba7 12471->12472 12473 1a7a00 RtlAllocateHeap 12472->12473 12474 199ca9 12473->12474 12475 195c10 4 API calls 12474->12475 12476 199cb1 12475->12476 12477 198b30 4 API calls 12476->12477 12478 199cc2 12477->12478 12479 1a8220 RtlAllocateHeap 12478->12479 12480 199cd1 12479->12480 12481 1987d0 12482 1988d3 12481->12482 12489 198819 shared_ptr 12481->12489 12483 1a80c0 RtlAllocateHeap 12482->12483 12490 198923 12483->12490 12484 19896c 12486 1a8200 RtlAllocateHeap 12484->12486 12485 1a80c0 RtlAllocateHeap 12485->12489 12488 198971 12486->12488 12487 198949 shared_ptr 12489->12482 12489->12484 12489->12485 12489->12490 12490->12487 12491 1c6c6a RtlAllocateHeap 12490->12491 12491->12484 12532 1921c0 12533 1921cb 12532->12533 12534 1921d0 12532->12534 12535 1921d4 12534->12535 12539 1921ec __cftof 12534->12539 12536 1c75f6 __dosmaperr RtlAllocateHeap 12535->12536 12537 1921d9 12536->12537 12540 1c6c5a __cftof RtlAllocateHeap 12537->12540 12538 1921fc __cftof 12539->12538 12541 19223a 12539->12541 12542 192221 12539->12542 12543 1921e4 12540->12543 12545 192231 12541->12545 12547 1c75f6 __dosmaperr RtlAllocateHeap 12541->12547 12544 1c75f6 __dosmaperr RtlAllocateHeap 12542->12544 12546 192226 12544->12546 12548 1c6c5a __cftof RtlAllocateHeap 12546->12548 12549 192247 12547->12549 12548->12545 12550 1c6c5a __cftof RtlAllocateHeap 12549->12550 12551 192252 12550->12551 12555 1a79c0 12556 1a79e0 12555->12556 12556->12556 12557 1a80c0 RtlAllocateHeap 12556->12557 12558 1a79f2 12557->12558 12563 1a83c0 12564 1a7760 RtlAllocateHeap 12563->12564 12565 1a8439 12564->12565 12566 1a8f40 RtlAllocateHeap 12565->12566 12567 1a8454 12565->12567 12566->12567 12568 1a8f40 RtlAllocateHeap 12567->12568 12570 1a84a8 12567->12570 12569 1a84ee 12568->12569 12571 1955f0 12572 195610 12571->12572 12573 1922c0 4 API calls 12572->12573 12574 195710 __floor_pentium4 12572->12574 12573->12572 12575 1943f0 12576 1abedf InitOnceExecuteOnce 12575->12576 12577 19440a 12576->12577 12578 194411 12577->12578 12579 1c6cbb 4 API calls 12577->12579 12580 194424 12579->12580 12621 193fe0 12622 194022 12621->12622 12623 19408c 12622->12623 12624 1940d2 12622->12624 12627 194035 __floor_pentium4 12622->12627 12628 1935e0 12623->12628 12625 193ee0 4 API calls 12624->12625 12625->12627 12629 1ad3e2 RtlAllocateHeap 12628->12629 12630 193616 12629->12630 12634 19364e Concurrency::cancel_current_task shared_ptr __floor_pentium4 12630->12634 12635 192ce0 12630->12635 12632 19369e 12633 192c00 4 API calls 12632->12633 12632->12634 12633->12634 12634->12627 12636 192d1d 12635->12636 12637 1abedf InitOnceExecuteOnce 12636->12637 12638 192d46 12637->12638 12639 192d88 12638->12639 12640 192d51 __floor_pentium4 12638->12640 12644 1abef7 12638->12644 12642 192440 4 API calls 12639->12642 12640->12632 12643 192d9b 12642->12643 12643->12632 12645 1abf03 12644->12645 12653 192900 12645->12653 12647 1abf23 Concurrency::cancel_current_task 12648 1abf6a 12647->12648 12649 1abf73 12647->12649 12663 1abe7f 12648->12663 12651 192ae0 5 API calls 12649->12651 12652 1abf6f 12651->12652 12652->12639 12654 1a80c0 RtlAllocateHeap 12653->12654 12655 19294f 12654->12655 12656 1926b0 RtlAllocateHeap 12655->12656 12658 192967 12656->12658 12657 19298d shared_ptr 12657->12647 12658->12657 12659 1c6c6a RtlAllocateHeap 12658->12659 12660 1929b6 12659->12660 12661 1c38af ___std_exception_copy RtlAllocateHeap 12660->12661 12662 1929e4 12661->12662 12662->12647 12664 1acc31 InitOnceExecuteOnce 12663->12664 12665 1abe97 12664->12665 12666 1abe9e 12665->12666 12667 1c6cbb 4 API calls 12665->12667 12666->12652 12668 1abea7 12667->12668 12668->12652 12669 1a8de0 12670 1a8f2f 12669->12670 12671 1a8e05 12669->12671 12672 1a9270 RtlAllocateHeap 12670->12672 12675 1a8e4c 12671->12675 12676 1a8e76 12671->12676 12673 1a8f34 12672->12673 12674 192480 RtlAllocateHeap 12673->12674 12682 1a8e5d __cftof 12674->12682 12675->12673 12677 1a8e57 12675->12677 12679 1ad3e2 RtlAllocateHeap 12676->12679 12676->12682 12678 1ad3e2 RtlAllocateHeap 12677->12678 12678->12682 12679->12682 12680 1c6c6a RtlAllocateHeap 12681 1a8f3e 12680->12681 12682->12680 12683 1a8eed shared_ptr __cftof 12682->12683 12684 1a85e0 12685 1a85f6 12684->12685 12685->12685 12686 1a860b 12685->12686 12687 1a8f40 RtlAllocateHeap 12685->12687 12687->12686

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 001C652B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 367 1c652b-1c6538 call 1ca302 370 1c655a-1c656c call 1c656d ExitProcess 367->370 371 1c653a-1c6548 GetPEB 367->371 371->370 372 1c654a-1c6559 371->372 372->370
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • ExitProcess.KERNEL32(?,?,001C652A,?,?,?,?,?,001C7661), ref: 001C6567
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ExitProcess
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 621844428-0
                                                                                                                                                                                                                                                                        • Opcode ID: af9aff894b3f1e22f23142c926649d4adda8df1b289cffefc3533459400685c0
                                                                                                                                                                                                                                                                        • Instruction ID: 9ff9521cce9877dce98a180e1d89b257d492b4792f07dfbb103443996fc93733
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af9aff894b3f1e22f23142c926649d4adda8df1b289cffefc3533459400685c0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5E08C30041148AFCE267B18C859F483B69EF3278AF205808FC1886222CB29ED82CA80
                                                                                                                                                                                                                                                                        Function 00199BA5 Relevance: 3.1, APIs: 2, Instructions: 140sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: cca52d316f804a7bde858fbf43e836dea516821628d8b97ec2f198870a86ad78
                                                                                                                                                                                                                                                                        • Instruction ID: fcb8839f7fb0a567a5c91088fe2710e9c58c31fcff781fad626ca95f8e9d935a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cca52d316f804a7bde858fbf43e836dea516821628d8b97ec2f198870a86ad78
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 753148716042008BEF18EB7CDD89B6DBBA2EFC6314F20821CE115973D5CB759A858791
                                                                                                                                                                                                                                                                        Function 00199F44 Relevance: 3.1, APIs: 2, Instructions: 137sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 22 199f44-199f64 26 199f92-199fae 22->26 27 199f66-199f72 22->27 30 199fdc-199ffb 26->30 31 199fb0-199fbc 26->31 28 199f88-199f8f call 1ad663 27->28 29 199f74-199f82 27->29 28->26 29->28 34 19a92b 29->34 32 19a029-19a916 call 1a80c0 30->32 33 199ffd-19a009 30->33 36 199fbe-199fcc 31->36 37 199fd2-199fd9 call 1ad663 31->37 38 19a00b-19a019 33->38 39 19a01f-19a026 call 1ad663 33->39 41 19a953-19a994 Sleep CreateMutexA 34->41 42 19a92b call 1c6c6a 34->42 36->34 36->37 37->30 38->34 38->39 39->32 51 19a9a7-19a9a8 41->51 52 19a996-19a998 41->52 42->41 52->51 54 19a99a-19a9a5 52->54 54->51
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 648d46735807c0d4fa697396ac8ccb3c4dcf720d899deb412acfc375eace00b3
                                                                                                                                                                                                                                                                        • Instruction ID: 803faaa60eba545dc25ed360b53253b4144629460957202f9559346312caff53
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 648d46735807c0d4fa697396ac8ccb3c4dcf720d899deb412acfc375eace00b3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB3148316041048BEF189B7CDC987ADFBA2EFC6314F24421CE519D73D5CB3599858792
                                                                                                                                                                                                                                                                        Function 0019A079 Relevance: 3.1, APIs: 2, Instructions: 136sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 56 19a079-19a099 60 19a09b-19a0a7 56->60 61 19a0c7-19a0e3 56->61 62 19a0a9-19a0b7 60->62 63 19a0bd-19a0c4 call 1ad663 60->63 64 19a111-19a130 61->64 65 19a0e5-19a0f1 61->65 62->63 66 19a930 62->66 63->61 70 19a15e-19a916 call 1a80c0 64->70 71 19a132-19a13e 64->71 68 19a0f3-19a101 65->68 69 19a107-19a10e call 1ad663 65->69 74 19a953-19a994 Sleep CreateMutexA 66->74 75 19a930 call 1c6c6a 66->75 68->66 68->69 69->64 77 19a140-19a14e 71->77 78 19a154-19a15b call 1ad663 71->78 85 19a9a7-19a9a8 74->85 86 19a996-19a998 74->86 75->74 77->66 77->78 78->70 86->85 88 19a99a-19a9a5 86->88 88->85
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 129b5c96a78945ca2d72ce7d5a5def71ed4355ca3162fb8c5519bca024f29872
                                                                                                                                                                                                                                                                        • Instruction ID: beed17a8ccedd002ddc1eaeabe83e86ea9e25544897460547bb356639d3a8ff2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 129b5c96a78945ca2d72ce7d5a5def71ed4355ca3162fb8c5519bca024f29872
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB317931B142009BEF08DBB8DD88B6DBB72EFC2314F644218E014973D1CB3699888792
                                                                                                                                                                                                                                                                        Function 0019A1AE Relevance: 3.1, APIs: 2, Instructions: 135sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 90 19a1ae-19a1ce 94 19a1fc-19a218 90->94 95 19a1d0-19a1dc 90->95 98 19a21a-19a226 94->98 99 19a246-19a265 94->99 96 19a1de-19a1ec 95->96 97 19a1f2-19a1f9 call 1ad663 95->97 96->97 104 19a935 96->104 97->94 100 19a228-19a236 98->100 101 19a23c-19a243 call 1ad663 98->101 102 19a293-19a916 call 1a80c0 99->102 103 19a267-19a273 99->103 100->101 100->104 101->99 107 19a289-19a290 call 1ad663 103->107 108 19a275-19a283 103->108 110 19a953-19a994 Sleep CreateMutexA 104->110 111 19a935 call 1c6c6a 104->111 107->102 108->104 108->107 119 19a9a7-19a9a8 110->119 120 19a996-19a998 110->120 111->110 120->119 122 19a99a-19a9a5 120->122 122->119
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 0fcbb497f86ceacc424d7290a3381aea14a3ed154b44a22310b22e01490fd92a
                                                                                                                                                                                                                                                                        • Instruction ID: 00c22b4ac658f03f9208b43f4cd3eb5e010469db3c815e514e111f8b4bbfe966
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fcbb497f86ceacc424d7290a3381aea14a3ed154b44a22310b22e01490fd92a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 26312631A041409FEF089BB8DC89B6DBB72EFD6314F604218E1149B3D1CB3699888692
                                                                                                                                                                                                                                                                        Function 0019A418 Relevance: 3.1, APIs: 2, Instructions: 133sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 124 19a418-19a438 128 19a43a-19a446 124->128 129 19a466-19a482 124->129 130 19a448-19a456 128->130 131 19a45c-19a463 call 1ad663 128->131 132 19a4b0-19a4cf 129->132 133 19a484-19a490 129->133 130->131 134 19a93f-19a994 call 1c6c6a * 4 Sleep CreateMutexA 130->134 131->129 138 19a4fd-19a916 call 1a80c0 132->138 139 19a4d1-19a4dd 132->139 136 19a492-19a4a0 133->136 137 19a4a6-19a4ad call 1ad663 133->137 160 19a9a7-19a9a8 134->160 161 19a996-19a998 134->161 136->134 136->137 137->132 140 19a4df-19a4ed 139->140 141 19a4f3-19a4fa call 1ad663 139->141 140->134 140->141 141->138 161->160 162 19a99a-19a9a5 161->162 162->160
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: f8d02352c61f5ca6cef1af614bf299dfe1151a2121452292de1d98f8ce7d801f
                                                                                                                                                                                                                                                                        • Instruction ID: e9780e9977fcd75861bb908a3c58b56331599fd28f99217bc5602c4b7be665b0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f8d02352c61f5ca6cef1af614bf299dfe1151a2121452292de1d98f8ce7d801f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48316831A001009BEF08ABB8DC89B7DBB72EFD2314F644218E0149B3D5CB7599888696
                                                                                                                                                                                                                                                                        Function 0019A54D Relevance: 3.1, APIs: 2, Instructions: 132sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 164 19a54d-19a56d 168 19a59b-19a5b7 164->168 169 19a56f-19a57b 164->169 172 19a5b9-19a5c5 168->172 173 19a5e5-19a604 168->173 170 19a57d-19a58b 169->170 171 19a591-19a598 call 1ad663 169->171 170->171 176 19a944-19a994 call 1c6c6a * 3 Sleep CreateMutexA 170->176 171->168 178 19a5db-19a5e2 call 1ad663 172->178 179 19a5c7-19a5d5 172->179 174 19a632-19a916 call 1a80c0 173->174 175 19a606-19a612 173->175 180 19a628-19a62f call 1ad663 175->180 181 19a614-19a622 175->181 198 19a9a7-19a9a8 176->198 199 19a996-19a998 176->199 178->173 179->176 179->178 180->174 181->176 181->180 199->198 200 19a99a-19a9a5 199->200 200->198
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: b2e003ab86719ca07df5b971b371616e60ebc30f7af955bf451844e92766bab7
                                                                                                                                                                                                                                                                        • Instruction ID: a11181e8aeabb3cbdab34f86d9d6fd55a66d6ed1f093a3c62d3e9c288b157e16
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b2e003ab86719ca07df5b971b371616e60ebc30f7af955bf451844e92766bab7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C3126717041008BFF08DBB8DC99B6DBBA2EFC6318F648218E1149B3D1CB3599898792
                                                                                                                                                                                                                                                                        Function 0019A682 Relevance: 3.1, APIs: 2, Instructions: 131sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 202 19a682-19a6a2 206 19a6d0-19a6ec 202->206 207 19a6a4-19a6b0 202->207 208 19a71a-19a739 206->208 209 19a6ee-19a6fa 206->209 210 19a6b2-19a6c0 207->210 211 19a6c6-19a6cd call 1ad663 207->211 214 19a73b-19a747 208->214 215 19a767-19a916 call 1a80c0 208->215 212 19a6fc-19a70a 209->212 213 19a710-19a717 call 1ad663 209->213 210->211 216 19a949-19a994 call 1c6c6a * 2 Sleep CreateMutexA 210->216 211->206 212->213 212->216 213->208 220 19a749-19a757 214->220 221 19a75d-19a764 call 1ad663 214->221 234 19a9a7-19a9a8 216->234 235 19a996-19a998 216->235 220->216 220->221 221->215 235->234 236 19a99a-19a9a5 235->236 236->234
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 184145d9c6d1049bc775750ec9091142129b50af423b2f63ff10a3fdcb6a4e42
                                                                                                                                                                                                                                                                        • Instruction ID: 7848075dfab1178e635f1808ab6bfb1c910f5f21e8d7ef6b38fe04ca7545e527
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 184145d9c6d1049bc775750ec9091142129b50af423b2f63ff10a3fdcb6a4e42
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E3159716042409BEF0CDBBCDC89B6DBBB2EFC5314F648218E114973D1CB3599898792
                                                                                                                                                                                                                                                                        Function 00199ADC Relevance: 3.1, APIs: 2, Instructions: 107sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 238 199adc-199ae8 239 199aea-199af8 238->239 240 199afe-199b27 call 1ad663 238->240 239->240 241 19a917 239->241 248 199b29-199b35 240->248 249 199b55-199b57 240->249 243 19a953-19a994 Sleep CreateMutexA 241->243 244 19a917 call 1c6c6a 241->244 252 19a9a7-19a9a8 243->252 253 19a996-19a998 243->253 244->243 254 199b4b-199b52 call 1ad663 248->254 255 199b37-199b45 248->255 250 199b59-19a916 call 1a80c0 249->250 251 199b65-199d91 call 1a7a00 call 195c10 call 198b30 call 1a8220 call 1a7a00 call 195c10 call 198b30 call 1a8220 249->251 253->252 257 19a99a-19a9a5 253->257 254->249 255->241 255->254 257->252
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 10a1b2c293b77559acd0f8dbc09335cbfd4848bf8fb4c21cd898470b267fc814
                                                                                                                                                                                                                                                                        • Instruction ID: b0bf2bb0f059e80821cd6fe47843649523a49b37943dcf045fa847722c95a1d3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 10a1b2c293b77559acd0f8dbc09335cbfd4848bf8fb4c21cd898470b267fc814
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D2146326042009BEF189B6CEC99B3CF762FFD1314F20421DE519977D1CB75A9858652
                                                                                                                                                                                                                                                                        Function 0019A856 Relevance: 3.1, APIs: 2, Instructions: 100sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 315 19a856-19a86e 316 19a89c-19a89e 315->316 317 19a870-19a87c 315->317 320 19a8a9-19a8b1 call 197d30 316->320 321 19a8a0-19a8a7 316->321 318 19a87e-19a88c 317->318 319 19a892-19a899 call 1ad663 317->319 318->319 322 19a94e-19a987 call 1c6c6a Sleep CreateMutexA 318->322 319->316 332 19a8b3-19a8bb call 197d30 320->332 333 19a8e4-19a8e6 320->333 324 19a8eb-19a916 call 1a80c0 321->324 336 19a98e-19a994 322->336 332->333 337 19a8bd-19a8c5 call 197d30 332->337 333->324 338 19a9a7-19a9a8 336->338 339 19a996-19a998 336->339 337->333 343 19a8c7-19a8cf call 197d30 337->343 339->338 341 19a99a-19a9a5 339->341 341->338 343->333 347 19a8d1-19a8d9 call 197d30 343->347 347->333 350 19a8db-19a8e2 347->350 350->324
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: a809308905cc4309f5c99c23083d6129a1a57987cf5824a6b8ee3d15d73b8fa9
                                                                                                                                                                                                                                                                        • Instruction ID: 4e98a8ca93730c54afcf978a5d1fc002d81ddaefef9abf7315a5062c3afaaeec
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a809308905cc4309f5c99c23083d6129a1a57987cf5824a6b8ee3d15d73b8fa9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11212C712582019AFF2877AC9C9AB3DB692EFD1305F740816E248D63D1CF76998981D3
                                                                                                                                                                                                                                                                        Function 0019A34F Relevance: 3.1, APIs: 2, Instructions: 100sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 292 19a34f-19a35b 293 19a35d-19a36b 292->293 294 19a371-19a39a call 1ad663 292->294 293->294 295 19a93a 293->295 300 19a3c8-19a916 call 1a80c0 294->300 301 19a39c-19a3a8 294->301 297 19a953-19a994 Sleep CreateMutexA 295->297 298 19a93a call 1c6c6a 295->298 307 19a9a7-19a9a8 297->307 308 19a996-19a998 297->308 298->297 302 19a3aa-19a3b8 301->302 303 19a3be-19a3c5 call 1ad663 301->303 302->295 302->303 303->300 308->307 311 19a99a-19a9a5 308->311 311->307
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 98b5c36d2ef8dc3a5bef5dd29a79fe3d922a4fe6d0014dda6e8d528d240438e5
                                                                                                                                                                                                                                                                        • Instruction ID: 5907f75bd6618cfccc22c20f712e3fd38a5c52cfcdf21334e28a85d770a846e4
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 98b5c36d2ef8dc3a5bef5dd29a79fe3d922a4fe6d0014dda6e8d528d240438e5
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF2149726042009BEF189B6CDC8977CBB72FFD1314F244219E519977D0CB76AA848292
                                                                                                                                                                                                                                                                        Function 001CD82F Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 351 1cd82f-1cd83a 352 1cd83c-1cd846 351->352 353 1cd848-1cd84e 351->353 352->353 354 1cd87c-1cd887 call 1c75f6 352->354 355 1cd867-1cd878 RtlAllocateHeap 353->355 356 1cd850-1cd851 353->356 362 1cd889-1cd88b 354->362 358 1cd87a 355->358 359 1cd853-1cd85a call 1c9dc0 355->359 356->355 358->362 359->354 364 1cd85c-1cd865 call 1c8e36 359->364 364->354 364->355
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,001CA813,00000001,00000364,00000006,000000FF,?,001CEE3F,?,00000004,00000000,?,?), ref: 001CD871
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                        • Opcode ID: eefc215e3bd469519f14301f13eb671aed9b03edc3e0820c91ad2d797fe845ba
                                                                                                                                                                                                                                                                        • Instruction ID: 9b765cbbbffc6bda308bb56f27779096d9df66d9c74d9d7318f2b51aae52a156
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eefc215e3bd469519f14301f13eb671aed9b03edc3e0820c91ad2d797fe845ba
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DEF0E23260122466EF213A76BC01F6B7758DFB57B0B1B803DFD08A7181DB20DC1086E0

                                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                                        Function 00192EC0 Relevance: 10.8, APIs: 7, Instructions: 272threadCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 57040152-0
                                                                                                                                                                                                                                                                        • Opcode ID: 79cdb060fe5af0c69c6e6f72bc84cb5e622e66696449fa9197f7db2c011fd3c0
                                                                                                                                                                                                                                                                        • Instruction ID: 02e5c3649cbe9d33939613d3a49ff9f09ce2317bf195cf18c417c5ba1fdaeb49
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 79cdb060fe5af0c69c6e6f72bc84cb5e622e66696449fa9197f7db2c011fd3c0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2A1C0B0A01605AFDF25DF64C944BAAB7F8FF25314F04812AE825D7251EB31EA04CBD1
                                                                                                                                                                                                                                                                        Function 001CCBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: _strrchr
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3213747228-0
                                                                                                                                                                                                                                                                        • Opcode ID: ff3b895da8359e455593cab76a85431316fff6c614e69054163c5cc9de6e39d3
                                                                                                                                                                                                                                                                        • Instruction ID: f97d4599da598b88e2cdab96dd2d5b8ef1f15fa50ac17ed47a72b0be8718aa95
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ff3b895da8359e455593cab76a85431316fff6c614e69054163c5cc9de6e39d3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E5B101329042859FDB158F68C881BBEBFA5EF66340F1441AEE859EB241D734CD02CBE4
                                                                                                                                                                                                                                                                        Function 001ABB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2242516422.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242486737.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242516422.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242609669.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242637537.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242671101.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242835994.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242871637.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242908704.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242935163.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2242962388.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243018799.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243046262.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243077277.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243105154.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243133975.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243161219.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243189240.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243219308.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243252155.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243280478.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243325386.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243354429.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243373277.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243401173.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243432005.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243462765.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243491435.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243519341.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243549368.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243576071.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243603762.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243632456.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243662761.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243690707.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243719271.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243748233.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243839467.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243873317.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243903313.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243933014.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243964053.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2243992754.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Xtime_diff_to_millis2_xtime_get
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 531285432-0
                                                                                                                                                                                                                                                                        • Opcode ID: 138f0b5af1d33b6a5da6193fb7d3feb45c70012679f7c6d8d33cbb433b9c8bac
                                                                                                                                                                                                                                                                        • Instruction ID: dfa1fd3fc10346635a2c47c4979335f5947005efbd469372c3b449668fe3a41a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 138f0b5af1d33b6a5da6193fb7d3feb45c70012679f7c6d8d33cbb433b9c8bac
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90212C79A00119AFDF05EFA4DC819BEB7B9EF1A710F110025FA05AB261DB709D419BE0

                                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                                        Execution Coverage:0.9%
                                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                                                                        Total number of Nodes:623
                                                                                                                                                                                                                                                                        Total number of Limit Nodes:4
                                                                                                                                                                                                                                                                        execution_graph 10412 19215a 10415 1ac6fc 10412->10415 10414 192164 10416 1ac70c 10415->10416 10418 1ac724 10415->10418 10416->10418 10419 1acfbe 10416->10419 10418->10414 10420 1accd5 __Mtx_init_in_situ InitializeCriticalSectionEx 10419->10420 10421 1acfd0 10420->10421 10421->10416 10271 199adc 10275 199aea shared_ptr 10271->10275 10272 19a953 Sleep CreateMutexA 10274 19a98e 10272->10274 10273 19a917 10273->10272 10275->10273 10276 199b4b shared_ptr 10275->10276 10277 195c10 3 API calls 10276->10277 10278 199b59 10276->10278 10279 199b7c 10277->10279 10280 198b30 3 API calls 10279->10280 10281 199b8d 10280->10281 10282 195c10 3 API calls 10281->10282 10283 199cb1 10282->10283 10284 198b30 3 API calls 10283->10284 10285 199cc2 10284->10285 10461 193f9f 10462 193fad 10461->10462 10463 193fb6 10461->10463 10464 192410 4 API calls 10462->10464 10464->10463 10340 192b10 10341 192b1a 10340->10341 10342 192b1c 10340->10342 10343 1ac26a 4 API calls 10342->10343 10344 192b22 10343->10344 10465 192b90 10466 192bce 10465->10466 10467 1ab7fb TpReleaseWork 10466->10467 10468 192bdb shared_ptr std::future_error::future_error 10467->10468 10345 1ad111 10346 1ad121 10345->10346 10347 1ad12a 10346->10347 10349 1ad199 10346->10349 10350 1ad1c0 10349->10350 10351 1ad1a7 SleepConditionVariableCS 10349->10351 10350->10346 10351->10350 9727 19a856 9728 19a870 9727->9728 9731 19a892 shared_ptr 9727->9731 9729 19a953 Sleep CreateMutexA 9728->9729 9728->9731 9730 19a98e 9729->9730 10199 193c8e 10200 193c98 10199->10200 10201 192410 4 API calls 10200->10201 10202 193ca5 10200->10202 10201->10202 10203 193810 3 API calls 10202->10203 10204 193ccf 10203->10204 10205 193810 3 API calls 10204->10205 10206 193cdb shared_ptr 10205->10206 9759 1c6a44 9760 1c6a5c 9759->9760 9761 1c6a52 9759->9761 9764 1c698d 9760->9764 9763 1c6a76 ___free_lconv_mon 9767 1c690a 9764->9767 9766 1c699f 9766->9763 9768 1c692a 9767->9768 9769 1c6921 9767->9769 9768->9769 9775 1ca671 9768->9775 9769->9766 9776 1ca67b __dosmaperr ___free_lconv_mon 9775->9776 9777 1c694a 9776->9777 9788 1c8bec 9776->9788 9780 1cb5fb 9777->9780 9781 1cb60e 9780->9781 9782 1c6960 9780->9782 9781->9782 9814 1cf5ab 9781->9814 9784 1cb628 9782->9784 9785 1cb63b 9784->9785 9787 1cb650 9784->9787 9785->9787 9821 1ce6b1 9785->9821 9787->9769 9789 1c8bf1 __cftof 9788->9789 9793 1c8bfc ___std_exception_copy 9789->9793 9794 1cd634 9789->9794 9808 1c65ed 9793->9808 9796 1cd640 __cftof __dosmaperr 9794->9796 9795 1cd69c __dosmaperr ___std_exception_copy 9795->9793 9796->9795 9797 1cd81b __cftof 9796->9797 9798 1cd726 9796->9798 9800 1cd751 __cftof 9796->9800 9799 1c65ed __cftof 3 API calls 9797->9799 9798->9800 9811 1cd62b 9798->9811 9802 1cd82e 9799->9802 9800->9795 9803 1ca671 __cftof 3 API calls 9800->9803 9806 1cd7a5 9800->9806 9803->9806 9805 1cd62b __cftof 3 API calls 9805->9800 9806->9795 9807 1ca671 __cftof 3 API calls 9806->9807 9807->9795 9809 1c64c7 __cftof 3 API calls 9808->9809 9810 1c65fe 9809->9810 9812 1ca671 __cftof 3 API calls 9811->9812 9813 1cd630 9812->9813 9813->9805 9815 1cf5b7 __dosmaperr 9814->9815 9816 1ca671 __cftof 3 API calls 9815->9816 9817 1cf5c0 __cftof __dosmaperr 9816->9817 9818 1cf606 9817->9818 9819 1c8bec __cftof 3 API calls 9817->9819 9818->9782 9820 1cf62b 9819->9820 9822 1ca671 __cftof 3 API calls 9821->9822 9823 1ce6bb 9822->9823 9826 1ce5c9 9823->9826 9825 1ce6c1 9825->9787 9830 1ce5d5 __cftof __dosmaperr ___free_lconv_mon 9826->9830 9827 1ce5f6 9827->9825 9828 1c8bec __cftof 3 API calls 9829 1ce668 9828->9829 9831 1ce6a4 9829->9831 9835 1ca72e 9829->9835 9830->9827 9830->9828 9831->9825 9836 1ca739 __dosmaperr ___free_lconv_mon 9835->9836 9837 1c8bec __cftof 3 API calls 9836->9837 9839 1ca7be 9836->9839 9838 1ca7c7 9837->9838 9840 1ce4b0 9839->9840 9841 1ce5c9 __cftof 3 API calls 9840->9841 9842 1ce4c3 9841->9842 9847 1ce259 9842->9847 9844 1ce4cb __cftof 9846 1ce4dc __cftof __dosmaperr ___free_lconv_mon 9844->9846 9850 1ce6c4 9844->9850 9846->9831 9848 1c690a __cftof 3 API calls 9847->9848 9849 1ce26b 9848->9849 9849->9844 9851 1ce259 __cftof 3 API calls 9850->9851 9854 1ce6e4 __cftof 9851->9854 9852 1ce75a __cftof std::future_error::future_error 9852->9846 9854->9852 9855 1ce32f 9854->9855 9856 1ce357 9855->9856 9862 1ce420 std::future_error::future_error 9855->9862 9856->9862 9863 1cf1bf 9856->9863 9858 1ce3d7 9866 1d4dfe 9858->9866 9860 1ce3f8 9861 1d4dfe __cftof 3 API calls 9860->9861 9861->9862 9862->9852 9864 1c690a __cftof 3 API calls 9863->9864 9865 1cf1df __cftof __freea std::future_error::future_error 9864->9865 9865->9858 9867 1c690a __cftof 3 API calls 9866->9867 9868 1d4e11 __cftof 9867->9868 9868->9860 9737 192e00 9738 192e28 9737->9738 9741 1ac68b 9738->9741 9744 1ac3d5 9741->9744 9743 192e33 9745 1ac3eb 9744->9745 9746 1ac3e1 9744->9746 9745->9743 9747 1ac39e 9746->9747 9748 1ac3be 9746->9748 9747->9745 9753 1accd5 9747->9753 9757 1acd0a 9748->9757 9751 1ac3d0 9751->9743 9754 1acce3 InitializeCriticalSectionEx 9753->9754 9756 1ac3b7 9753->9756 9754->9756 9756->9743 9758 1acd1f RtlInitializeConditionVariable 9757->9758 9758->9751 10289 19e0c0 recv 10290 19e122 recv 10289->10290 10291 19e157 recv 10290->10291 10293 19e191 10291->10293 10292 19e2b3 std::future_error::future_error 10293->10292 10294 1ac6ac GetSystemTimePreciseAsFileTime 10293->10294 10295 19e2ee 10294->10295 10296 1ac26a 4 API calls 10295->10296 10297 19e358 10296->10297 10298 192ec0 10299 192f06 10298->10299 10302 192f6f 10298->10302 10300 1ac6ac GetSystemTimePreciseAsFileTime 10299->10300 10301 192f12 10300->10301 10304 19301e 10301->10304 10307 192f1d __Mtx_unlock 10301->10307 10303 192fef 10302->10303 10310 1ac6ac GetSystemTimePreciseAsFileTime 10302->10310 10305 1ac26a 4 API calls 10304->10305 10306 193024 10305->10306 10308 1ac26a 4 API calls 10306->10308 10307->10302 10307->10306 10309 192fb9 10308->10309 10311 1ac26a 4 API calls 10309->10311 10312 192fc0 __Mtx_unlock 10309->10312 10310->10309 10311->10312 10313 1ac26a 4 API calls 10312->10313 10314 192fd8 __Cnd_broadcast 10312->10314 10313->10314 10314->10303 10315 1ac26a 4 API calls 10314->10315 10316 19303c 10315->10316 10317 1ac6ac GetSystemTimePreciseAsFileTime 10316->10317 10324 193080 shared_ptr __Mtx_unlock 10317->10324 10318 1931c5 10319 1ac26a 4 API calls 10318->10319 10320 1931cb 10319->10320 10321 1ac26a 4 API calls 10320->10321 10322 1931d1 10321->10322 10323 1ac26a 4 API calls 10322->10323 10325 193193 __Mtx_unlock 10323->10325 10324->10318 10324->10320 10326 1931a7 std::future_error::future_error 10324->10326 10329 1ac6ac GetSystemTimePreciseAsFileTime 10324->10329 10325->10326 10327 1ac26a 4 API calls 10325->10327 10328 1931dd 10327->10328 10330 19315f 10329->10330 10330->10318 10330->10322 10330->10325 10331 1abd4c GetSystemTimePreciseAsFileTime 10330->10331 10331->10330 10469 198980 10471 198aea 10469->10471 10472 1989d8 shared_ptr 10469->10472 10470 195c10 3 API calls 10470->10472 10472->10470 10472->10471 10332 1ad0c7 10333 1ad0d7 10332->10333 10334 1ad17f 10333->10334 10335 1ad17b RtlWakeAllConditionVariable 10333->10335 10432 199f44 10434 199f4c shared_ptr 10432->10434 10433 19a953 Sleep CreateMutexA 10435 19a98e 10433->10435 10434->10433 10436 19a01f shared_ptr 10434->10436 9869 193c47 9870 193c51 9869->9870 9873 193c5f 9870->9873 9876 1932d0 9870->9876 9871 193c68 9873->9871 9895 193810 9873->9895 9899 1ac6ac 9876->9899 9878 19336b 9905 1ac26a 9878->9905 9879 193314 9879->9878 9882 19333c __Mtx_unlock 9879->9882 9902 1abd4c 9879->9902 9883 1ac26a 4 API calls 9882->9883 9884 193350 std::future_error::future_error 9882->9884 9885 193377 9883->9885 9884->9873 9886 1ac6ac GetSystemTimePreciseAsFileTime 9885->9886 9887 1933af 9886->9887 9888 1ac26a 4 API calls 9887->9888 9889 1933b6 __Cnd_broadcast 9887->9889 9888->9889 9890 1ac26a 4 API calls 9889->9890 9891 1933d7 __Mtx_unlock 9889->9891 9890->9891 9892 1ac26a 4 API calls 9891->9892 9893 1933eb 9891->9893 9894 19340e 9892->9894 9893->9873 9894->9873 9896 19381c 9895->9896 9949 192440 9896->9949 9909 1ac452 9899->9909 9901 1ac6b9 9901->9879 9926 1abb72 9902->9926 9904 1abd5c 9904->9879 9906 1ac292 9905->9906 9907 1ac274 9905->9907 9906->9906 9907->9906 9932 1ac297 9907->9932 9910 1ac4a8 9909->9910 9912 1ac47a std::future_error::future_error 9909->9912 9910->9912 9915 1acf6b 9910->9915 9912->9901 9913 1ac4fd __Xtime_diff_to_millis2 9913->9912 9914 1acf6b _xtime_get GetSystemTimePreciseAsFileTime 9913->9914 9914->9913 9916 1acf7a 9915->9916 9917 1acf87 __aulldvrm 9915->9917 9916->9917 9919 1acf44 9916->9919 9917->9913 9922 1acbea 9919->9922 9923 1acbfb GetSystemTimePreciseAsFileTime 9922->9923 9924 1acc07 9922->9924 9923->9924 9924->9917 9927 1abb9c 9926->9927 9928 1acf6b _xtime_get GetSystemTimePreciseAsFileTime 9927->9928 9931 1abba4 __Xtime_diff_to_millis2 std::future_error::future_error 9927->9931 9929 1abbcf __Xtime_diff_to_millis2 9928->9929 9930 1acf6b _xtime_get GetSystemTimePreciseAsFileTime 9929->9930 9929->9931 9930->9931 9931->9904 9935 192ae0 9932->9935 9934 1ac2ae Concurrency::cancel_current_task 9942 1abedf 9935->9942 9937 192af4 __dosmaperr 9937->9934 9938 1ca671 __cftof 3 API calls 9937->9938 9941 1c6ccc 9938->9941 9939 1c8bec __cftof 3 API calls 9940 1c6cf6 9939->9940 9941->9939 9945 1acc31 9942->9945 9946 1acc3f InitOnceExecuteOnce 9945->9946 9947 1abef2 9945->9947 9946->9947 9947->9937 9952 1ab5d6 9949->9952 9951 192472 9954 1ab5f1 Concurrency::cancel_current_task 9952->9954 9953 1c8bec __cftof 3 API calls 9955 1ab69f 9953->9955 9954->9953 9956 1ab658 __cftof std::future_error::future_error 9954->9956 9956->9951 9962 19cc79 9964 19cc84 shared_ptr 9962->9964 9963 19ccda shared_ptr std::future_error::future_error 9964->9963 9968 195c10 9964->9968 9966 19ce9d 9986 19ca70 9966->9986 9969 195c54 9968->9969 9996 194b30 9969->9996 9971 195d17 shared_ptr std::future_error::future_error 9971->9966 9972 195c7b __cftof 9972->9971 9973 195c10 3 API calls 9972->9973 9974 1966ac 9973->9974 9975 195c10 3 API calls 9974->9975 9976 1966b1 9975->9976 10000 1922c0 9976->10000 9978 1966c9 shared_ptr 9979 195c10 3 API calls 9978->9979 9980 19673d 9979->9980 9981 1922c0 3 API calls 9980->9981 9983 196757 shared_ptr 9981->9983 9982 195c10 3 API calls 9982->9983 9983->9982 9984 1922c0 3 API calls 9983->9984 9985 196852 shared_ptr std::future_error::future_error 9983->9985 9984->9983 9985->9966 9987 19cadd 9986->9987 9989 195c10 3 API calls 9987->9989 9995 19cc87 9987->9995 9988 19ccda shared_ptr std::future_error::future_error 9990 19ccf9 9989->9990 10145 199030 9990->10145 9992 195c10 3 API calls 9993 19ce9d 9992->9993 9994 19ca70 3 API calls 9993->9994 9995->9988 9995->9992 9998 194ce5 9996->9998 9999 194b92 9996->9999 9998->9972 9999->9998 10003 1c6da6 9999->10003 10029 192280 10000->10029 10004 1c6db4 10003->10004 10005 1c6dc2 10003->10005 10008 1c6d19 10004->10008 10005->9999 10009 1c690a __cftof 3 API calls 10008->10009 10010 1c6d2c 10009->10010 10013 1c6d52 10010->10013 10012 1c6d3d 10012->9999 10014 1c6d8f 10013->10014 10015 1c6d5f 10013->10015 10024 1cb67d 10014->10024 10016 1c6d6e 10015->10016 10019 1cb6a1 10015->10019 10016->10012 10020 1c690a __cftof 3 API calls 10019->10020 10021 1cb6be 10020->10021 10022 1cf1bf __cftof 3 API calls 10021->10022 10023 1cb6ce std::future_error::future_error 10021->10023 10022->10023 10023->10016 10025 1ca671 __cftof 3 API calls 10024->10025 10026 1cb688 10025->10026 10027 1cb5fb __cftof 3 API calls 10026->10027 10028 1cb698 10027->10028 10028->10016 10030 192296 10029->10030 10033 1c87f8 10030->10033 10036 1c7609 10033->10036 10035 1922a4 10035->9978 10037 1c7649 10036->10037 10038 1c7631 __dosmaperr ___std_exception_copy std::future_error::future_error 10036->10038 10037->10038 10039 1c690a __cftof 3 API calls 10037->10039 10038->10035 10040 1c7661 10039->10040 10042 1c7bc4 10040->10042 10043 1c7bd5 10042->10043 10044 1c7be4 __dosmaperr ___std_exception_copy 10043->10044 10049 1c8168 10043->10049 10054 1c7dc2 10043->10054 10059 1c7de8 10043->10059 10069 1c7f36 10043->10069 10044->10038 10050 1c8171 10049->10050 10052 1c8178 10049->10052 10078 1c7b50 10050->10078 10052->10043 10053 1c8177 10053->10043 10055 1c7dcb 10054->10055 10057 1c7dd2 10054->10057 10056 1c7b50 3 API calls 10055->10056 10058 1c7dd1 10056->10058 10057->10043 10058->10043 10061 1c7def 10059->10061 10064 1c7e09 __dosmaperr ___std_exception_copy 10059->10064 10060 1c7f69 10067 1c7f77 10060->10067 10068 1c7f8b 10060->10068 10096 1c8241 10060->10096 10061->10060 10062 1c7fa2 10061->10062 10061->10064 10061->10067 10062->10068 10092 1c8390 10062->10092 10064->10043 10067->10068 10100 1c86ea 10067->10100 10068->10043 10070 1c7f4f 10069->10070 10071 1c7f69 10069->10071 10070->10071 10072 1c7fa2 10070->10072 10076 1c7f77 10070->10076 10073 1c8241 3 API calls 10071->10073 10071->10076 10077 1c7f8b 10071->10077 10074 1c8390 3 API calls 10072->10074 10072->10077 10073->10076 10074->10076 10075 1c86ea 3 API calls 10075->10077 10076->10075 10076->10077 10077->10043 10079 1c7b62 __dosmaperr 10078->10079 10082 1c8ab6 10079->10082 10081 1c7b85 __dosmaperr 10081->10053 10083 1c8ad1 10082->10083 10086 1c8868 10083->10086 10085 1c8adb 10085->10081 10087 1c887a 10086->10087 10088 1c690a __cftof GetPEB ExitProcess GetPEB 10087->10088 10089 1c888f __dosmaperr ___std_exception_copy 10087->10089 10091 1c88bf 10088->10091 10089->10085 10090 1c6d52 GetPEB ExitProcess GetPEB 10090->10091 10091->10089 10091->10090 10093 1c83ab 10092->10093 10094 1c83dd 10093->10094 10104 1cc88e 10093->10104 10094->10067 10097 1c825a 10096->10097 10111 1cd3c8 10097->10111 10099 1c830d 10099->10067 10099->10099 10102 1c875d std::future_error::future_error 10100->10102 10103 1c8707 10100->10103 10101 1cc88e __cftof 3 API calls 10101->10103 10102->10068 10103->10101 10103->10102 10107 1cc733 10104->10107 10106 1cc8a6 10106->10094 10108 1cc743 10107->10108 10109 1c690a __cftof GetPEB ExitProcess GetPEB 10108->10109 10110 1cc748 __cftof __dosmaperr ___std_exception_copy 10108->10110 10109->10110 10110->10106 10112 1cd3d8 __dosmaperr ___std_exception_copy 10111->10112 10115 1cd3ee 10111->10115 10112->10099 10113 1cd485 10117 1cd4ae 10113->10117 10118 1cd4e4 10113->10118 10114 1cd48a 10124 1ccbdf 10114->10124 10115->10112 10115->10113 10115->10114 10120 1cd4cc 10117->10120 10121 1cd4b3 10117->10121 10141 1ccef8 10118->10141 10137 1cd0e2 10120->10137 10130 1cd23e 10121->10130 10125 1ccbf1 10124->10125 10126 1c690a __cftof GetPEB ExitProcess GetPEB 10125->10126 10127 1ccc05 10126->10127 10128 1ccef8 GetPEB ExitProcess GetPEB 10127->10128 10129 1ccc0d __alldvrm __cftof __dosmaperr ___std_exception_copy _strrchr 10127->10129 10128->10129 10129->10112 10131 1cd26c 10130->10131 10132 1cd2a5 10131->10132 10133 1cd2de 10131->10133 10135 1cd2b7 10131->10135 10132->10112 10134 1ccf9a GetPEB ExitProcess GetPEB 10133->10134 10134->10132 10136 1cd16d GetPEB ExitProcess GetPEB 10135->10136 10136->10132 10138 1cd10f 10137->10138 10139 1cd14e 10138->10139 10140 1cd16d GetPEB ExitProcess GetPEB 10138->10140 10139->10112 10140->10139 10142 1ccf10 10141->10142 10143 1ccf75 10142->10143 10144 1ccf9a GetPEB ExitProcess GetPEB 10142->10144 10143->10112 10144->10143 10146 199080 10145->10146 10147 195c10 3 API calls 10146->10147 10148 19909a shared_ptr std::future_error::future_error 10147->10148 10148->9995 10212 199ab8 10214 199acc 10212->10214 10215 199b08 10214->10215 10216 19a917 10215->10216 10217 199b4b shared_ptr 10215->10217 10218 19a953 Sleep CreateMutexA 10216->10218 10219 195c10 3 API calls 10217->10219 10220 199b59 10217->10220 10221 19a98e 10218->10221 10222 199b7c 10219->10222 10229 198b30 10222->10229 10224 199b8d 10225 195c10 3 API calls 10224->10225 10226 199cb1 10225->10226 10227 198b30 3 API calls 10226->10227 10228 199cc2 10227->10228 10230 198b7c 10229->10230 10231 195c10 3 API calls 10230->10231 10232 198b97 shared_ptr 10231->10232 10233 198d01 shared_ptr std::future_error::future_error 10232->10233 10234 195c10 3 API calls 10232->10234 10233->10224 10236 198d9a shared_ptr 10234->10236 10235 198e7e shared_ptr std::future_error::future_error 10235->10224 10236->10235 10237 195c10 3 API calls 10236->10237 10238 198f1a shared_ptr std::future_error::future_error 10237->10238 10238->10224 10473 1c8bbe 10474 1c8868 3 API calls 10473->10474 10475 1c8bdc 10474->10475 10239 1942b0 10242 193ac0 10239->10242 10241 1942bb shared_ptr 10243 193af9 10242->10243 10245 1932d0 5 API calls 10243->10245 10246 193c38 10243->10246 10247 193b39 __Cnd_destroy_in_situ shared_ptr __Mtx_destroy_in_situ 10243->10247 10244 1932d0 5 API calls 10249 193c5f 10244->10249 10245->10246 10246->10244 10246->10249 10247->10241 10248 193c68 10248->10241 10249->10248 10250 193810 3 API calls 10249->10250 10251 193cdb shared_ptr 10250->10251 10251->10241 10437 193970 10438 1ac68b __Mtx_init_in_situ 2 API calls 10437->10438 10439 1939a7 10438->10439 10440 1ac68b __Mtx_init_in_situ 2 API calls 10439->10440 10441 1939e6 10440->10441 10442 192170 10443 1ac6fc InitializeCriticalSectionEx 10442->10443 10444 19217a 10443->10444 10487 1955f0 10488 195610 10487->10488 10489 1922c0 3 API calls 10488->10489 10490 195710 std::future_error::future_error 10488->10490 10489->10488 10491 1943f0 10492 1abedf InitOnceExecuteOnce 10491->10492 10493 19440a 10492->10493 10494 194411 10493->10494 10495 1c6cbb 3 API calls 10493->10495 10496 194424 10495->10496 10336 1a9ef0 10337 1a9f0c 10336->10337 10338 1ac68b __Mtx_init_in_situ 2 API calls 10337->10338 10339 1a9f17 10338->10339 10149 194276 10152 192410 10149->10152 10151 19427f 10153 192424 10152->10153 10156 1ab52d 10153->10156 10164 1c3aed 10156->10164 10159 1ab5a5 ___std_exception_copy 10171 1ab1ad 10159->10171 10160 1ab598 10167 1aaf56 10160->10167 10163 19242a 10163->10151 10175 1c4f29 10164->10175 10168 1aaf9f ___std_exception_copy 10167->10168 10170 1aafb2 shared_ptr 10168->10170 10182 1ab39f 10168->10182 10170->10163 10172 1ab1d8 10171->10172 10173 1ab1e1 shared_ptr 10171->10173 10174 1ab39f 4 API calls 10172->10174 10173->10163 10174->10173 10177 1c4f2e __cftof 10175->10177 10176 1ab555 10176->10159 10176->10160 10176->10163 10177->10176 10178 1cd634 __cftof 3 API calls 10177->10178 10181 1c8bfc ___std_exception_copy 10177->10181 10178->10181 10179 1c65ed __cftof 3 API calls 10180 1c8c2f 10179->10180 10181->10179 10183 1abedf InitOnceExecuteOnce 10182->10183 10184 1ab3e1 10183->10184 10185 1ab3e8 10184->10185 10193 1c6cbb 10184->10193 10185->10170 10194 1c6cc7 __dosmaperr 10193->10194 10195 1ca671 __cftof 3 API calls 10194->10195 10198 1c6ccc 10195->10198 10196 1c8bec __cftof 3 API calls 10197 1c6cf6 10196->10197 10198->10196 10252 195cad 10254 195caf __cftof 10252->10254 10253 195d17 shared_ptr std::future_error::future_error 10254->10253 10255 195c10 3 API calls 10254->10255 10256 1966ac 10255->10256 10257 195c10 3 API calls 10256->10257 10258 1966b1 10257->10258 10259 1922c0 3 API calls 10258->10259 10260 1966c9 shared_ptr 10259->10260 10261 195c10 3 API calls 10260->10261 10262 19673d 10261->10262 10263 1922c0 3 API calls 10262->10263 10265 196757 shared_ptr 10263->10265 10264 195c10 3 API calls 10264->10265 10265->10264 10266 1922c0 3 API calls 10265->10266 10267 196852 shared_ptr std::future_error::future_error 10265->10267 10266->10265 9711 1c6629 9714 1c64c7 9711->9714 9717 1c64d5 __cftof 9714->9717 9715 1c6520 9717->9715 9719 1c652b 9717->9719 9718 1c652a 9725 1ca302 GetPEB 9719->9725 9721 1c6535 9722 1c653a GetPEB 9721->9722 9724 1c654a __cftof 9721->9724 9722->9724 9723 1c6562 ExitProcess 9724->9723 9726 1ca31c __cftof 9725->9726 9726->9721 10268 1920a0 10269 1ac68b __Mtx_init_in_situ 2 API calls 10268->10269 10270 1920ac 10269->10270 10372 194120 10373 19416a 10372->10373 10375 1941b2 std::future_error::future_error 10373->10375 10376 193ee0 10373->10376 10377 193f48 10376->10377 10378 193f1e 10376->10378 10379 193f58 10377->10379 10382 192c00 10377->10382 10378->10375 10379->10375 10383 192c0e 10382->10383 10389 1ab847 10383->10389 10385 192c49 10385->10375 10386 192c42 10386->10385 10395 192c80 10386->10395 10388 192c58 Concurrency::cancel_current_task 10390 1ab854 10389->10390 10394 1ab873 Concurrency::details::_Reschedule_chore 10389->10394 10398 1acb77 10390->10398 10392 1ab864 10392->10394 10400 1ab81e 10392->10400 10394->10386 10406 1ab7fb 10395->10406 10397 192cb2 shared_ptr 10397->10388 10399 1acb92 CreateThreadpoolWork 10398->10399 10399->10392 10402 1ab827 Concurrency::details::_Reschedule_chore 10400->10402 10404 1acdcc 10402->10404 10403 1ab841 10403->10394 10405 1acde1 TpPostWork 10404->10405 10405->10403 10407 1ab817 10406->10407 10408 1ab807 10406->10408 10407->10397 10408->10407 10410 1aca78 10408->10410 10411 1aca8d TpReleaseWork 10410->10411 10411->10407 10497 193fe0 10498 194022 10497->10498 10499 19408c 10498->10499 10500 1940d2 10498->10500 10503 194035 std::future_error::future_error 10498->10503 10504 1935e0 10499->10504 10501 193ee0 3 API calls 10500->10501 10501->10503 10505 193616 10504->10505 10509 19364e Concurrency::cancel_current_task shared_ptr std::future_error::future_error 10505->10509 10510 192ce0 10505->10510 10507 19369e 10508 192c00 3 API calls 10507->10508 10507->10509 10508->10509 10509->10503 10511 192d1d 10510->10511 10512 1abedf InitOnceExecuteOnce 10511->10512 10513 192d46 10512->10513 10514 192d88 10513->10514 10515 192d51 std::future_error::future_error 10513->10515 10519 1abef7 10513->10519 10517 192440 3 API calls 10514->10517 10515->10507 10518 192d9b 10517->10518 10518->10507 10520 1abf03 Concurrency::cancel_current_task 10519->10520 10521 1abf6a 10520->10521 10522 1abf73 10520->10522 10526 1abe7f 10521->10526 10523 192ae0 4 API calls 10522->10523 10525 1abf6f 10523->10525 10525->10514 10527 1acc31 InitOnceExecuteOnce 10526->10527 10528 1abe97 10527->10528 10529 1abe9e 10528->10529 10530 1c6cbb 3 API calls 10528->10530 10529->10525 10531 1abea7 10530->10531 10531->10525 10481 199ba5 10482 199ba7 10481->10482 10483 195c10 3 API calls 10482->10483 10484 199cb1 10483->10484 10485 198b30 3 API calls 10484->10485 10486 199cc2 10485->10486

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 001C652B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 351 1c652b-1c6538 call 1ca302 354 1c655a-1c656c call 1c656d ExitProcess 351->354 355 1c653a-1c6548 GetPEB 351->355 355->354 356 1c654a-1c6559 355->356 356->354
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • ExitProcess.KERNEL32(?,?,001C652A,?,?,?,?,?,001C7661), ref: 001C6567
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ExitProcess
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 621844428-0
                                                                                                                                                                                                                                                                        • Opcode ID: 431cba13e600b01e3782c538305268af7dc8e8bb1c9b2d4ba9d247335ab0c01f
                                                                                                                                                                                                                                                                        • Instruction ID: a0436f36fdbf4f724eacb4fac89e7a4e81c97150aa7b833cc929c5b6571770aa
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 431cba13e600b01e3782c538305268af7dc8e8bb1c9b2d4ba9d247335ab0c01f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0BE08C3015114CAFCE26BB28C81DF483B69EF31785F201808FC1886222CB35ED81CA80
                                                                                                                                                                                                                                                                        Function 00199BA5 Relevance: 3.1, APIs: 2, Instructions: 140sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 29379f2fd18ebac44112ec354dd1ed37518006eb1f3d8b6b4a384a6b4f11d6e9
                                                                                                                                                                                                                                                                        • Instruction ID: 788b8423eb478cc102426d2aa6f78752da3d70fbcc350a91faf17ff92530852a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29379f2fd18ebac44112ec354dd1ed37518006eb1f3d8b6b4a384a6b4f11d6e9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 79312471B002008BEF18AB6CDD8DB6DB762EFC2320F20821CE4199B3D5C7759A848792
                                                                                                                                                                                                                                                                        Function 00199F44 Relevance: 3.1, APIs: 2, Instructions: 137sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 22 199f44-199f64 26 199f92-199fae 22->26 27 199f66-199f72 22->27 28 199fdc-199ffb 26->28 29 199fb0-199fbc 26->29 30 199f88-199f8f call 1ad663 27->30 31 199f74-199f82 27->31 34 19a029-19a916 call 1a80c0 28->34 35 199ffd-19a009 28->35 32 199fbe-199fcc 29->32 33 199fd2-199fd9 call 1ad663 29->33 30->26 31->30 36 19a92b 31->36 32->33 32->36 33->28 39 19a00b-19a019 35->39 40 19a01f-19a026 call 1ad663 35->40 42 19a953-19a994 Sleep CreateMutexA 36->42 43 19a92b call 1c6c6a 36->43 39->36 39->40 40->34 51 19a9a7-19a9a8 42->51 52 19a996-19a998 42->52 43->42 52->51 54 19a99a-19a9a5 52->54 54->51
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 7083f1e2bb38bc2000c5ac126b552d504f0daa85a8a206bb9cadfaa96ef5de68
                                                                                                                                                                                                                                                                        • Instruction ID: 43f55e7039fab84c0f50e3c0b20346fcb5ce9611d14cbefe85d16d88e27865e2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7083f1e2bb38bc2000c5ac126b552d504f0daa85a8a206bb9cadfaa96ef5de68
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 933146317002408BEF189B7CDC9DBADBB62EFC6320F644618E419EB7D1C73699848792
                                                                                                                                                                                                                                                                        Function 0019A079 Relevance: 3.1, APIs: 2, Instructions: 136sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 56 19a079-19a099 60 19a09b-19a0a7 56->60 61 19a0c7-19a0e3 56->61 62 19a0a9-19a0b7 60->62 63 19a0bd-19a0c4 call 1ad663 60->63 64 19a111-19a130 61->64 65 19a0e5-19a0f1 61->65 62->63 66 19a930 62->66 63->61 70 19a15e-19a916 call 1a80c0 64->70 71 19a132-19a13e 64->71 68 19a0f3-19a101 65->68 69 19a107-19a10e call 1ad663 65->69 74 19a953-19a994 Sleep CreateMutexA 66->74 75 19a930 call 1c6c6a 66->75 68->66 68->69 69->64 77 19a140-19a14e 71->77 78 19a154-19a15b call 1ad663 71->78 85 19a9a7-19a9a8 74->85 86 19a996-19a998 74->86 75->74 77->66 77->78 78->70 86->85 88 19a99a-19a9a5 86->88 88->85
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: b747612c34d540c1e81134a5f6aa222d5d170d2e8317fe64e31fb75e0461b423
                                                                                                                                                                                                                                                                        • Instruction ID: abdee4565aef2db8f907c8e6f44088d6b2f7c28f06ae2db6c8255a2fd43eadc3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b747612c34d540c1e81134a5f6aa222d5d170d2e8317fe64e31fb75e0461b423
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0314631B102409BEF089B78DD8DB6DB772EFC2324F644218E414977D1C73699888792
                                                                                                                                                                                                                                                                        Function 0019A1AE Relevance: 3.1, APIs: 2, Instructions: 135sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 90 19a1ae-19a1ce 94 19a1fc-19a218 90->94 95 19a1d0-19a1dc 90->95 96 19a21a-19a226 94->96 97 19a246-19a265 94->97 98 19a1de-19a1ec 95->98 99 19a1f2-19a1f9 call 1ad663 95->99 100 19a228-19a236 96->100 101 19a23c-19a243 call 1ad663 96->101 102 19a293-19a916 call 1a80c0 97->102 103 19a267-19a273 97->103 98->99 104 19a935 98->104 99->94 100->101 100->104 101->97 107 19a289-19a290 call 1ad663 103->107 108 19a275-19a283 103->108 110 19a953-19a994 Sleep CreateMutexA 104->110 111 19a935 call 1c6c6a 104->111 107->102 108->104 108->107 119 19a9a7-19a9a8 110->119 120 19a996-19a998 110->120 111->110 120->119 122 19a99a-19a9a5 120->122 122->119
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 30be18557b96f5b8091f0db4c0dde0782d054b5c659eb13b3eb6020e1b0c6a8d
                                                                                                                                                                                                                                                                        • Instruction ID: c4920a6e6406129de54598665c47b747a0e7a874ded52311cd8c4e63035869f1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 30be18557b96f5b8091f0db4c0dde0782d054b5c659eb13b3eb6020e1b0c6a8d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D313731B002409BEF08DB78DD9DB6DB772EFD6320F644218E414AB7D1D73699888792
                                                                                                                                                                                                                                                                        Function 0019A418 Relevance: 3.1, APIs: 2, Instructions: 133sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 124 19a418-19a438 128 19a43a-19a446 124->128 129 19a466-19a482 124->129 130 19a448-19a456 128->130 131 19a45c-19a463 call 1ad663 128->131 132 19a4b0-19a4cf 129->132 133 19a484-19a490 129->133 130->131 134 19a93f-19a994 call 1c6c6a * 4 Sleep CreateMutexA 130->134 131->129 138 19a4fd-19a916 call 1a80c0 132->138 139 19a4d1-19a4dd 132->139 136 19a492-19a4a0 133->136 137 19a4a6-19a4ad call 1ad663 133->137 160 19a9a7-19a9a8 134->160 161 19a996-19a998 134->161 136->134 136->137 137->132 140 19a4df-19a4ed 139->140 141 19a4f3-19a4fa call 1ad663 139->141 140->134 140->141 141->138 161->160 162 19a99a-19a9a5 161->162 162->160
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: c64757c652a2eeed451d01f47ea5bf7d2cd077759d92c435b82e8839632454cf
                                                                                                                                                                                                                                                                        • Instruction ID: 5b870060fdfe930108a1f8ca3e66dce7daec09c548ad755a71078f43d61301b2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c64757c652a2eeed451d01f47ea5bf7d2cd077759d92c435b82e8839632454cf
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE316631B002009BEF08ABB8DC8DB7DB772EFD2324F644218E4149B7D5DB7599888792
                                                                                                                                                                                                                                                                        Function 0019A54D Relevance: 3.1, APIs: 2, Instructions: 132sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 164 19a54d-19a56d 168 19a59b-19a5b7 164->168 169 19a56f-19a57b 164->169 172 19a5b9-19a5c5 168->172 173 19a5e5-19a604 168->173 170 19a57d-19a58b 169->170 171 19a591-19a598 call 1ad663 169->171 170->171 176 19a944-19a994 call 1c6c6a * 3 Sleep CreateMutexA 170->176 171->168 178 19a5db-19a5e2 call 1ad663 172->178 179 19a5c7-19a5d5 172->179 174 19a632-19a916 call 1a80c0 173->174 175 19a606-19a612 173->175 181 19a628-19a62f call 1ad663 175->181 182 19a614-19a622 175->182 198 19a9a7-19a9a8 176->198 199 19a996-19a998 176->199 178->173 179->176 179->178 181->174 182->176 182->181 199->198 200 19a99a-19a9a5 199->200 200->198
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 5cc4335f77f98dab870970230237727f62d86539eb171856faf1decd9b9b056d
                                                                                                                                                                                                                                                                        • Instruction ID: 0fcf4dac4c63a2b61319c7a261c764942f5997daa8a7a886d8dd06d14b703abd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5cc4335f77f98dab870970230237727f62d86539eb171856faf1decd9b9b056d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5311431B002409BEF08DB78DC9DB6DB762EFD6324F648618E415AB7D1CB3599888792
                                                                                                                                                                                                                                                                        Function 0019A682 Relevance: 3.1, APIs: 2, Instructions: 131sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 202 19a682-19a6a2 206 19a6d0-19a6ec 202->206 207 19a6a4-19a6b0 202->207 208 19a71a-19a739 206->208 209 19a6ee-19a6fa 206->209 210 19a6b2-19a6c0 207->210 211 19a6c6-19a6cd call 1ad663 207->211 215 19a73b-19a747 208->215 216 19a767-19a916 call 1a80c0 208->216 213 19a6fc-19a70a 209->213 214 19a710-19a717 call 1ad663 209->214 210->211 217 19a949-19a994 call 1c6c6a * 2 Sleep CreateMutexA 210->217 211->206 213->214 213->217 214->208 220 19a749-19a757 215->220 221 19a75d-19a764 call 1ad663 215->221 234 19a9a7-19a9a8 217->234 235 19a996-19a998 217->235 220->217 220->221 221->216 235->234 236 19a99a-19a9a5 235->236 236->234
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 0845fa537d52ed4ce4837d9f678cd3f0e8b3b3356baa6a9e1f3253e7d2f19e35
                                                                                                                                                                                                                                                                        • Instruction ID: 0442be84e849f26ea66005def6d3a434745cc410c1fbb3a00b4e80759be1423c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0845fa537d52ed4ce4837d9f678cd3f0e8b3b3356baa6a9e1f3253e7d2f19e35
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3A312431B002409BEF0C9BB8DC8DB6DB7B2EFC2324F648218E414977D1C73699888692
                                                                                                                                                                                                                                                                        Function 00199ADC Relevance: 3.1, APIs: 2, Instructions: 107sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 238 199adc-199ae8 239 199aea-199af8 238->239 240 199afe-199b27 call 1ad663 238->240 239->240 241 19a917 239->241 248 199b29-199b35 240->248 249 199b55-199b57 240->249 243 19a953-19a994 Sleep CreateMutexA 241->243 244 19a917 call 1c6c6a 241->244 250 19a9a7-19a9a8 243->250 251 19a996-19a998 243->251 244->243 254 199b4b-199b52 call 1ad663 248->254 255 199b37-199b45 248->255 252 199b59-19a916 call 1a80c0 249->252 253 199b65-199d91 call 1a7a00 call 195c10 call 198b30 call 1a8220 call 1a7a00 call 195c10 call 198b30 call 1a8220 249->253 251->250 258 19a99a-19a9a5 251->258 254->249 255->241 255->254 258->250
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 6542d5570dc460168edc802ef454e865e083af3085d13651deb455bdb8f2de8f
                                                                                                                                                                                                                                                                        • Instruction ID: 3afe07338d838a7c7974b33b091625efb753eeb8e327c65c708d9c62ebafc098
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6542d5570dc460168edc802ef454e865e083af3085d13651deb455bdb8f2de8f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD2134327042409BEF189B6CEC9DB2CB762EFD1320F20421DE819977D1DB7599848692
                                                                                                                                                                                                                                                                        Function 0019A856 Relevance: 3.1, APIs: 2, Instructions: 100sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 315 19a856-19a86e 316 19a89c-19a89e 315->316 317 19a870-19a87c 315->317 320 19a8a9-19a8b1 call 197d30 316->320 321 19a8a0-19a8a7 316->321 318 19a87e-19a88c 317->318 319 19a892-19a899 call 1ad663 317->319 318->319 322 19a94e-19a987 call 1c6c6a Sleep CreateMutexA 318->322 319->316 330 19a8b3-19a8bb call 197d30 320->330 331 19a8e4-19a8e6 320->331 324 19a8eb-19a916 call 1a80c0 321->324 336 19a98e-19a994 322->336 330->331 337 19a8bd-19a8c5 call 197d30 330->337 331->324 338 19a9a7-19a9a8 336->338 339 19a996-19a998 336->339 337->331 343 19a8c7-19a8cf call 197d30 337->343 339->338 341 19a99a-19a9a5 339->341 341->338 343->331 347 19a8d1-19a8d9 call 197d30 343->347 347->331 350 19a8db-19a8e2 347->350 350->324
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: 4b0a588c14366f9e765d049ea45e3a6ecffcfa912b5d55c0bbd05dcc6e4516da
                                                                                                                                                                                                                                                                        • Instruction ID: f9ddbe3f5507b8f35764a64448e49430fdbe7db5ed0a92e97ecdd2c09c5dd2a1
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4b0a588c14366f9e765d049ea45e3a6ecffcfa912b5d55c0bbd05dcc6e4516da
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CD2149313592019AEF2877A89C9EB3DB352EF91305FB40816E508D63D1CB7A998882D3
                                                                                                                                                                                                                                                                        Function 0019A34F Relevance: 3.1, APIs: 2, Instructions: 100sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 292 19a34f-19a35b 293 19a35d-19a36b 292->293 294 19a371-19a39a call 1ad663 292->294 293->294 295 19a93a 293->295 300 19a3c8-19a916 call 1a80c0 294->300 301 19a39c-19a3a8 294->301 298 19a953-19a994 Sleep CreateMutexA 295->298 299 19a93a call 1c6c6a 295->299 306 19a9a7-19a9a8 298->306 307 19a996-19a998 298->307 299->298 303 19a3aa-19a3b8 301->303 304 19a3be-19a3c5 call 1ad663 301->304 303->295 303->304 304->300 307->306 310 19a99a-19a9a5 307->310 310->306
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00000064), ref: 0019A963
                                                                                                                                                                                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,001F3254), ref: 0019A981
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1464230837-0
                                                                                                                                                                                                                                                                        • Opcode ID: e49eba967b9617262ad63327213e20298e0889e580b493c45b7b8a43872b4ace
                                                                                                                                                                                                                                                                        • Instruction ID: 0d677183c136465ad3869a355da65b80a86f938a11d7ef5e17a5a294d9f4f0f3
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e49eba967b9617262ad63327213e20298e0889e580b493c45b7b8a43872b4ace
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B214C317042009BEF189B68DC8DB7CB762EFD1314F644219E819977D0C7769A848292

                                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                                        Function 00192EC0 Relevance: 7.8, APIs: 5, Instructions: 272COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Mtx_unlock$Cnd_broadcast
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 32384418-0
                                                                                                                                                                                                                                                                        • Opcode ID: 79cdb060fe5af0c69c6e6f72bc84cb5e622e66696449fa9197f7db2c011fd3c0
                                                                                                                                                                                                                                                                        • Instruction ID: 02e5c3649cbe9d33939613d3a49ff9f09ce2317bf195cf18c417c5ba1fdaeb49
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 79cdb060fe5af0c69c6e6f72bc84cb5e622e66696449fa9197f7db2c011fd3c0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2A1C0B0A01605AFDF25DF64C944BAAB7F8FF25314F04812AE825D7251EB31EA04CBD1
                                                                                                                                                                                                                                                                        Function 001CCBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: _strrchr
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3213747228-0
                                                                                                                                                                                                                                                                        • Opcode ID: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
                                                                                                                                                                                                                                                                        • Instruction ID: f97d4599da598b88e2cdab96dd2d5b8ef1f15fa50ac17ed47a72b0be8718aa95
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E5B101329042859FDB158F68C881BBEBFA5EF66340F1441AEE859EB241D734CD02CBE4
                                                                                                                                                                                                                                                                        Function 001ABB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000003.00000002.2240662532.0000000000191000.00000040.00000001.01000000.00000007.sdmp, Offset: 00190000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240620691.0000000000190000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240662532.00000000001F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240765715.00000000001F9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240792903.00000000001FB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240821768.0000000000207000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2240998336.0000000000362000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241035647.0000000000365000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241079835.000000000037C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241116847.000000000037E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.000000000037F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241135078.0000000000387000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241172636.0000000000390000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241192646.0000000000391000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241212245.0000000000392000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241232061.0000000000393000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241252698.000000000039C000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241272046.000000000039F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241291687.00000000003A0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241311473.00000000003A3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241336990.00000000003C0000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241358615.00000000003CC000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241385005.00000000003E2000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241406457.00000000003ED000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241425985.00000000003EE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241446155.00000000003F3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241465232.00000000003F4000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241489713.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241516809.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241544798.000000000040B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241565960.0000000000416000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241588643.0000000000417000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241613880.0000000000418000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241647466.000000000041F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241674026.0000000000420000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241701812.0000000000425000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241757817.0000000000426000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.000000000042A000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241785471.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241883956.0000000000494000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241912745.0000000000495000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241947499.000000000049C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2241977267.000000000049E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242022100.00000000004AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000003.00000002.2242088472.00000000004AD000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_190000_skotes.jbxd
                                                                                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Xtime_diff_to_millis2_xtime_get
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 531285432-0
                                                                                                                                                                                                                                                                        • Opcode ID: 204d84a308b6672854333c050d6817991dae2893660e77e075a3dbfcec51032f
                                                                                                                                                                                                                                                                        • Instruction ID: dfa1fd3fc10346635a2c47c4979335f5947005efbd469372c3b449668fe3a41a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 204d84a308b6672854333c050d6817991dae2893660e77e075a3dbfcec51032f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90212C79A00119AFDF05EFA4DC819BEB7B9EF1A710F110025FA05AB261DB709D419BE0

                                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                                        Execution Coverage:4.3%
                                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0.6%
                                                                                                                                                                                                                                                                        Signature Coverage:0.9%
                                                                                                                                                                                                                                                                        Total number of Nodes:2000
                                                                                                                                                                                                                                                                        Total number of Limit Nodes:22
                                                                                                                                                                                                                                                                        execution_graph 13504 db57d0 13505 db57dc ___scrt_is_nonwritable_in_current_image 13504->13505 13531 db2baf 13505->13531 13507 db57e3 13508 db593c 13507->13508 13516 db580d ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 13507->13516 13567 db5020 IsProcessorFeaturePresent 13508->13567 13510 db5943 13511 db5949 13510->13511 13571 db8bd6 13510->13571 13574 db8bec 13511->13574 13515 db582c 13516->13515 13517 db58ad 13516->13517 13520 db58a6 13516->13520 13549 dbb145 13517->13549 13519 db58b3 13553 dd804b 13519->13553 13542 db8c20 13520->13542 13526 db58d8 13527 db58e1 13526->13527 13558 db8c02 13526->13558 13561 db2be8 13527->13561 13532 db2bb8 13531->13532 13577 db4c8c IsProcessorFeaturePresent 13532->13577 13536 db2bc9 13541 db2bcd 13536->13541 13587 db867a 13536->13587 13539 db2be4 13539->13507 13541->13507 13543 dbcf0b ___scrt_is_nonwritable_in_current_image 13542->13543 13544 db8c36 std::_Lockit::_Lockit 13542->13544 13659 dbe783 GetLastError 13543->13659 13544->13517 13550 dbb153 13549->13550 13551 dbb14e 13549->13551 13550->13519 14032 dbb26e 13551->14032 14635 dd8000 GetModuleHandleA GetModuleFileNameA ExitProcess 13553->14635 13556 db4fcd GetModuleHandleW 13557 db4fd9 13556->13557 13557->13510 13557->13526 14638 db8d21 13558->14638 13562 db2bf4 13561->13562 13566 db2c0a 13562->13566 14709 db868c 13562->14709 13564 db2c02 13565 db6188 ___scrt_uninitialize_crt 7 API calls 13564->13565 13565->13566 13566->13515 13568 db5036 __fread_nolock __CreateFrameInfo 13567->13568 13569 db50e1 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13568->13569 13570 db5125 __CreateFrameInfo 13569->13570 13570->13510 13572 db8d21 __CreateFrameInfo 21 API calls 13571->13572 13573 db8be7 13572->13573 13573->13511 13575 db8d21 __CreateFrameInfo 21 API calls 13574->13575 13576 db5951 13575->13576 13578 db2bc4 13577->13578 13579 db6169 13578->13579 13596 dbe1c6 13579->13596 13582 db6172 13582->13536 13584 db617a 13585 db6185 13584->13585 13610 dbe202 13584->13610 13585->13536 13650 dc0815 13587->13650 13590 db6188 13591 db619b 13590->13591 13592 db6191 13590->13592 13591->13541 13593 dbd297 ___vcrt_uninitialize_ptd 6 API calls 13592->13593 13594 db6196 13593->13594 13595 dbe202 ___vcrt_uninitialize_locks DeleteCriticalSection 13594->13595 13595->13591 13597 dbe1cf 13596->13597 13599 dbe1f8 13597->13599 13601 db616e 13597->13601 13614 dc7e4b 13597->13614 13600 dbe202 ___vcrt_uninitialize_locks DeleteCriticalSection 13599->13600 13600->13601 13601->13582 13602 dbd264 13601->13602 13631 dc7d5c 13602->13631 13607 dbd294 13607->13584 13609 dbd279 13609->13584 13611 dbe20d 13610->13611 13613 dbe22c 13610->13613 13612 dbe217 DeleteCriticalSection 13611->13612 13612->13612 13612->13613 13613->13582 13619 dc7edd 13614->13619 13617 dc7e6e 13617->13597 13618 dc7e83 InitializeCriticalSectionAndSpinCount 13618->13617 13620 dc7e65 13619->13620 13623 dc7efe 13619->13623 13620->13617 13620->13618 13622 dc7f66 GetProcAddress 13622->13620 13623->13620 13623->13622 13624 dc7f57 13623->13624 13626 dc7e92 LoadLibraryExW 13623->13626 13624->13622 13625 dc7f5f FreeLibrary 13624->13625 13625->13622 13627 dc7ea9 GetLastError 13626->13627 13628 dc7ed9 13626->13628 13627->13628 13629 dc7eb4 ___vcrt_FlsSetValue 13627->13629 13628->13623 13629->13628 13630 dc7eca LoadLibraryExW 13629->13630 13630->13623 13632 dc7edd ___vcrt_FlsSetValue 5 API calls 13631->13632 13633 dc7d76 13632->13633 13634 dc7d8f TlsAlloc 13633->13634 13635 dbd26e 13633->13635 13635->13609 13636 dc7e0d 13635->13636 13637 dc7edd ___vcrt_FlsSetValue 5 API calls 13636->13637 13638 dc7e27 13637->13638 13639 dc7e42 TlsSetValue 13638->13639 13640 dbd287 13638->13640 13639->13640 13640->13607 13641 dbd297 13640->13641 13642 dbd2a7 13641->13642 13643 dbd2a1 13641->13643 13642->13609 13645 dc7d97 13643->13645 13646 dc7edd ___vcrt_FlsSetValue 5 API calls 13645->13646 13647 dc7db1 13646->13647 13648 dc7dbd 13647->13648 13649 dc7dc9 TlsFree 13647->13649 13648->13642 13649->13648 13651 dc0825 13650->13651 13652 db2bd6 13650->13652 13651->13652 13654 dbff89 13651->13654 13652->13539 13652->13590 13655 dbff90 13654->13655 13656 dbffd3 GetStdHandle 13655->13656 13657 dc0035 13655->13657 13658 dbffe6 GetFileType 13655->13658 13656->13655 13657->13651 13658->13655 13660 dbe799 13659->13660 13661 dbe79f 13659->13661 13697 dbf19b 13660->13697 13665 dbe7a3 SetLastError 13661->13665 13702 dbf1da 13661->13702 13669 dbe838 13665->13669 13670 dbcf1c 13665->13670 13673 dbb9c2 CallUnexpected 37 API calls 13669->13673 13686 dbb9c2 13670->13686 13671 dbe7e9 13675 dbf1da _unexpected 6 API calls 13671->13675 13672 dbe7d8 13674 dbf1da _unexpected 6 API calls 13672->13674 13676 dbe83d 13673->13676 13677 dbe7e6 13674->13677 13678 dbe7f5 13675->13678 13714 dbe4f7 13677->13714 13679 dbe7f9 13678->13679 13680 dbe810 13678->13680 13682 dbf1da _unexpected 6 API calls 13679->13682 13720 dbea94 13680->13720 13682->13677 13685 dbe4f7 ___free_lconv_mon 14 API calls 13685->13665 13921 dc08cc 13686->13921 13689 dbb9d2 13690 dbb9fb 13689->13690 13691 dbb9dc IsProcessorFeaturePresent 13689->13691 13694 db8bec __CreateFrameInfo 21 API calls 13690->13694 13693 dbb9e8 13691->13693 13951 dbb4b9 13693->13951 13696 dbba05 13694->13696 13725 dbf534 13697->13725 13699 dbf1b7 13700 dbf1d2 TlsGetValue 13699->13700 13701 dbf1c0 13699->13701 13701->13661 13703 dbf534 std::_Lockit::_Lockit 5 API calls 13702->13703 13704 dbf1f6 13703->13704 13705 dbe7bb 13704->13705 13706 dbf214 TlsSetValue 13704->13706 13705->13665 13707 dbf807 13705->13707 13712 dbf814 _unexpected 13707->13712 13708 dbf83f HeapAlloc 13710 dbe7d0 13708->13710 13708->13712 13709 dbf854 13742 dbad6d 13709->13742 13710->13671 13710->13672 13712->13708 13712->13709 13739 db8f08 13712->13739 13715 dbe502 HeapFree 13714->13715 13719 dbe52c 13714->13719 13716 dbe517 GetLastError 13715->13716 13715->13719 13717 dbe524 __dosmaperr 13716->13717 13718 dbad6d __strnicoll 12 API calls 13717->13718 13718->13719 13719->13665 13779 dbebfa 13720->13779 13726 dbf564 13725->13726 13730 dbf560 std::_Lockit::_Lockit 13725->13730 13726->13730 13731 dbf469 13726->13731 13729 dbf57e GetProcAddress 13729->13730 13730->13699 13737 dbf47a ___vcrt_FlsSetValue 13731->13737 13732 dbf498 LoadLibraryExW 13734 dbf4b3 GetLastError 13732->13734 13735 dbf517 13732->13735 13733 dbf510 13733->13729 13733->13730 13734->13737 13735->13733 13736 dbf529 FreeLibrary 13735->13736 13736->13733 13737->13732 13737->13733 13738 dbf4e6 LoadLibraryExW 13737->13738 13738->13735 13738->13737 13745 db8f43 13739->13745 13756 dbe8d4 GetLastError 13742->13756 13744 dbad72 13744->13710 13746 db8f4f ___scrt_is_nonwritable_in_current_image 13745->13746 13751 dbb750 EnterCriticalSection 13746->13751 13748 db8f5a __CreateFrameInfo 13752 db8f91 13748->13752 13751->13748 13755 dbb767 LeaveCriticalSection 13752->13755 13754 db8f13 13754->13712 13755->13754 13757 dbe8ea 13756->13757 13758 dbe8f0 13756->13758 13760 dbf19b _unexpected 6 API calls 13757->13760 13759 dbf1da _unexpected 6 API calls 13758->13759 13762 dbe8f4 SetLastError 13758->13762 13761 dbe90c 13759->13761 13760->13758 13761->13762 13764 dbf807 _unexpected 12 API calls 13761->13764 13762->13744 13765 dbe921 13764->13765 13766 dbe93a 13765->13766 13767 dbe929 13765->13767 13769 dbf1da _unexpected 6 API calls 13766->13769 13768 dbf1da _unexpected 6 API calls 13767->13768 13777 dbe937 13768->13777 13770 dbe946 13769->13770 13771 dbe94a 13770->13771 13772 dbe961 13770->13772 13775 dbf1da _unexpected 6 API calls 13771->13775 13774 dbea94 _unexpected 12 API calls 13772->13774 13773 dbe4f7 ___free_lconv_mon 12 API calls 13773->13762 13776 dbe96c 13774->13776 13775->13777 13778 dbe4f7 ___free_lconv_mon 12 API calls 13776->13778 13777->13773 13778->13762 13780 dbec06 ___scrt_is_nonwritable_in_current_image 13779->13780 13793 dbb750 EnterCriticalSection 13780->13793 13782 dbec10 13794 dbec40 13782->13794 13785 dbec4c 13786 dbec58 ___scrt_is_nonwritable_in_current_image 13785->13786 13798 dbb750 EnterCriticalSection 13786->13798 13788 dbec62 13799 dbea49 13788->13799 13790 dbec7a 13803 dbec9a 13790->13803 13793->13782 13797 dbb767 LeaveCriticalSection 13794->13797 13796 dbeb02 13796->13785 13797->13796 13798->13788 13800 dbea7f __Getctype 13799->13800 13801 dbea58 __Getctype 13799->13801 13800->13790 13801->13800 13806 dc1e7b 13801->13806 13920 dbb767 LeaveCriticalSection 13803->13920 13805 dbe81b 13805->13685 13807 dc1efb 13806->13807 13810 dc1e91 13806->13810 13809 dbe4f7 ___free_lconv_mon 14 API calls 13807->13809 13833 dc1f49 13807->13833 13812 dc1f1d 13809->13812 13810->13807 13811 dc1ec4 13810->13811 13814 dbe4f7 ___free_lconv_mon 14 API calls 13810->13814 13820 dbe4f7 ___free_lconv_mon 14 API calls 13811->13820 13832 dc1ee6 13811->13832 13813 dbe4f7 ___free_lconv_mon 14 API calls 13812->13813 13815 dc1f30 13813->13815 13819 dc1eb9 13814->13819 13821 dbe4f7 ___free_lconv_mon 14 API calls 13815->13821 13816 dbe4f7 ___free_lconv_mon 14 API calls 13822 dc1ef0 13816->13822 13817 dc1fb7 13824 dbe4f7 ___free_lconv_mon 14 API calls 13817->13824 13818 dc1f57 13818->13817 13831 dbe4f7 14 API calls ___free_lconv_mon 13818->13831 13834 dc12dd 13819->13834 13826 dc1edb 13820->13826 13827 dc1f3e 13821->13827 13823 dbe4f7 ___free_lconv_mon 14 API calls 13822->13823 13823->13807 13828 dc1fbd 13824->13828 13862 dc15f8 13826->13862 13830 dbe4f7 ___free_lconv_mon 14 API calls 13827->13830 13828->13800 13830->13833 13831->13818 13832->13816 13874 dc2015 13833->13874 13835 dc12ee 13834->13835 13861 dc13d7 13834->13861 13836 dc12ff 13835->13836 13837 dbe4f7 ___free_lconv_mon 14 API calls 13835->13837 13838 dc1311 13836->13838 13839 dbe4f7 ___free_lconv_mon 14 API calls 13836->13839 13837->13836 13840 dc1323 13838->13840 13841 dbe4f7 ___free_lconv_mon 14 API calls 13838->13841 13839->13838 13842 dc1335 13840->13842 13844 dbe4f7 ___free_lconv_mon 14 API calls 13840->13844 13841->13840 13843 dc1347 13842->13843 13845 dbe4f7 ___free_lconv_mon 14 API calls 13842->13845 13846 dc1359 13843->13846 13847 dbe4f7 ___free_lconv_mon 14 API calls 13843->13847 13844->13842 13845->13843 13847->13846 13861->13811 13863 dc1605 13862->13863 13873 dc165d 13862->13873 13864 dc1615 13863->13864 13866 dbe4f7 ___free_lconv_mon 14 API calls 13863->13866 13865 dc1627 13864->13865 13867 dbe4f7 ___free_lconv_mon 14 API calls 13864->13867 13868 dc1639 13865->13868 13869 dbe4f7 ___free_lconv_mon 14 API calls 13865->13869 13866->13864 13867->13865 13870 dbe4f7 ___free_lconv_mon 14 API calls 13868->13870 13871 dc164b 13868->13871 13869->13868 13870->13871 13872 dbe4f7 ___free_lconv_mon 14 API calls 13871->13872 13871->13873 13872->13873 13873->13832 13875 dc2022 13874->13875 13876 dc2041 13874->13876 13875->13876 13880 dc16dc 13875->13880 13876->13818 13879 dbe4f7 ___free_lconv_mon 14 API calls 13879->13876 13881 dc17ba 13880->13881 13882 dc16ed 13880->13882 13881->13879 13916 dc1a3c 13882->13916 13885 dc1a3c __Getctype 14 API calls 13886 dc1700 13885->13886 13917 dc1a4e 13916->13917 13918 dc16f5 13917->13918 13919 dbe4f7 ___free_lconv_mon 14 API calls 13917->13919 13918->13885 13919->13917 13920->13805 13957 dc0b4f 13921->13957 13924 dc08f3 13926 dc08ff ___scrt_is_nonwritable_in_current_image 13924->13926 13925 dbe8d4 __dosmaperr 14 API calls 13933 dc0930 __CreateFrameInfo 13925->13933 13926->13925 13927 dc094f 13926->13927 13930 dc0961 __CreateFrameInfo 13926->13930 13926->13933 13928 dbad6d __strnicoll 14 API calls 13927->13928 13931 dc0954 13928->13931 13929 dc0997 __CreateFrameInfo 13936 dc09d4 13929->13936 13937 dc0ad1 13929->13937 13947 dc0a02 13929->13947 13930->13929 13971 dbb750 EnterCriticalSection 13930->13971 13968 dbb458 13931->13968 13933->13927 13933->13930 13950 dc0939 13933->13950 13942 dbe783 _unexpected 39 API calls 13936->13942 13936->13947 13939 dc0adc 13937->13939 13976 dbb767 LeaveCriticalSection 13937->13976 13941 db8bec __CreateFrameInfo 21 API calls 13939->13941 13943 dc0ae4 13941->13943 13945 dc09f7 13942->13945 13944 dbe783 _unexpected 39 API calls 13948 dc0a57 13944->13948 13946 dbe783 _unexpected 39 API calls 13945->13946 13946->13947 13972 dc0a7d 13947->13972 13949 dbe783 _unexpected 39 API calls 13948->13949 13948->13950 13949->13950 13950->13689 13952 dbb4d5 __fread_nolock __CreateFrameInfo 13951->13952 13953 dbb501 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13952->13953 13956 dbb5d2 __CreateFrameInfo 13953->13956 13955 dbb5f0 13955->13690 14024 db29c6 13956->14024 13958 dc0b5b ___scrt_is_nonwritable_in_current_image 13957->13958 13963 dbb750 EnterCriticalSection 13958->13963 13960 dc0b69 13964 dc0bab 13960->13964 13963->13960 13967 dbb767 LeaveCriticalSection 13964->13967 13966 dbb9c7 13966->13689 13966->13924 13967->13966 13977 dbb6a7 13968->13977 13970 dbb464 13970->13950 13971->13929 13973 dc0a81 13972->13973 13975 dc0a49 13972->13975 14023 dbb767 LeaveCriticalSection 13973->14023 13975->13944 13975->13948 13975->13950 13976->13939 13978 dbb6b9 _Fputc 13977->13978 13981 dbb601 13978->13981 13980 dbb6d1 _Fputc 13980->13970 13982 dbb611 13981->13982 13986 dbb618 13981->13986 13990 db8af0 GetLastError 13982->13990 13984 dbb626 13984->13980 13986->13984 13994 dbb67e 13986->13994 13987 dbb64d 13987->13984 13997 dbb485 IsProcessorFeaturePresent 13987->13997 13989 dbb67d 13991 db8b09 13990->13991 14001 dbe985 13991->14001 13995 dbb689 GetLastError SetLastError 13994->13995 13996 dbb6a2 13994->13996 13995->13987 13996->13987 13998 dbb491 13997->13998 13999 dbb4b9 __CreateFrameInfo 8 API calls 13998->13999 14000 dbb4a6 GetCurrentProcess TerminateProcess 13999->14000 14000->13989 14002 dbe998 14001->14002 14003 dbe99e 14001->14003 14004 dbf19b _unexpected 6 API calls 14002->14004 14005 dbf1da _unexpected 6 API calls 14003->14005 14022 db8b25 SetLastError 14003->14022 14004->14003 14006 dbe9b8 14005->14006 14007 dbf807 _unexpected 14 API calls 14006->14007 14006->14022 14008 dbe9c8 14007->14008 14009 dbe9d0 14008->14009 14010 dbe9e5 14008->14010 14012 dbf1da _unexpected 6 API calls 14009->14012 14011 dbf1da _unexpected 6 API calls 14010->14011 14013 dbe9f1 14011->14013 14019 dbe9dc 14012->14019 14014 dbe9f5 14013->14014 14015 dbea04 14013->14015 14017 dbf1da _unexpected 6 API calls 14014->14017 14018 dbea94 _unexpected 14 API calls 14015->14018 14016 dbe4f7 ___free_lconv_mon 14 API calls 14016->14022 14017->14019 14020 dbea0f 14018->14020 14019->14016 14021 dbe4f7 ___free_lconv_mon 14 API calls 14020->14021 14021->14022 14022->13986 14023->13975 14025 db29cf IsProcessorFeaturePresent 14024->14025 14026 db29ce 14024->14026 14028 db4b7e 14025->14028 14026->13955 14031 db4c64 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14028->14031 14030 db4c61 14030->13955 14031->14030 14033 dbb28d 14032->14033 14034 dbb277 14032->14034 14033->13550 14034->14033 14038 dbb1af 14034->14038 14036 dbb284 14036->14033 14055 dbb37c 14036->14055 14039 dbb1bb 14038->14039 14040 dbb1b8 14038->14040 14064 dc004c 14039->14064 14040->14036 14045 dbb1d8 14091 dbb29a 14045->14091 14046 dbb1cc 14047 dbe4f7 ___free_lconv_mon 14 API calls 14046->14047 14049 dbb1d2 14047->14049 14049->14036 14051 dbe4f7 ___free_lconv_mon 14 API calls 14052 dbb1fc 14051->14052 14053 dbe4f7 ___free_lconv_mon 14 API calls 14052->14053 14054 dbb202 14053->14054 14054->14036 14056 dbb3ed 14055->14056 14059 dbb38b 14055->14059 14056->14033 14057 dbe641 WideCharToMultiByte std::_Locinfo::_Locinfo_dtor 14057->14059 14058 dbf807 _unexpected 14 API calls 14058->14059 14059->14056 14059->14057 14059->14058 14061 dbb3f1 14059->14061 14063 dbe4f7 ___free_lconv_mon 14 API calls 14059->14063 14354 dc4926 14059->14354 14060 dbe4f7 ___free_lconv_mon 14 API calls 14060->14056 14061->14060 14063->14059 14065 dc0055 14064->14065 14066 dbb1c1 14064->14066 14113 dbe83e 14065->14113 14070 dc484f GetEnvironmentStringsW 14066->14070 14071 dc4867 14070->14071 14076 dbb1c6 14070->14076 14072 dbe641 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 14071->14072 14073 dc4884 14072->14073 14074 dc488e FreeEnvironmentStringsW 14073->14074 14075 dc4899 14073->14075 14074->14076 14077 dbe531 __fread_nolock 15 API calls 14075->14077 14076->14045 14076->14046 14078 dc48a0 14077->14078 14079 dc48a8 14078->14079 14080 dc48b9 14078->14080 14082 dbe4f7 ___free_lconv_mon 14 API calls 14079->14082 14081 dbe641 std::_Locinfo::_Locinfo_dtor WideCharToMultiByte 14080->14081 14083 dc48c9 14081->14083 14084 dc48ad FreeEnvironmentStringsW 14082->14084 14085 dc48d8 14083->14085 14086 dc48d0 14083->14086 14084->14076 14088 dbe4f7 ___free_lconv_mon 14 API calls 14085->14088 14087 dbe4f7 ___free_lconv_mon 14 API calls 14086->14087 14089 dc48d6 FreeEnvironmentStringsW 14087->14089 14088->14089 14089->14076 14093 dbb2af 14091->14093 14092 dbf807 _unexpected 14 API calls 14094 dbb2d6 14092->14094 14093->14092 14095 dbb2de 14094->14095 14104 dbb2e8 14094->14104 14096 dbe4f7 ___free_lconv_mon 14 API calls 14095->14096 14112 dbb1df 14096->14112 14097 dbb345 14098 dbe4f7 ___free_lconv_mon 14 API calls 14097->14098 14098->14112 14099 dbf807 _unexpected 14 API calls 14099->14104 14100 dbb354 14348 dbb23f 14100->14348 14104->14097 14104->14099 14104->14100 14106 dbb36f 14104->14106 14108 dbe4f7 ___free_lconv_mon 14 API calls 14104->14108 14339 dbe16c 14104->14339 14105 dbe4f7 ___free_lconv_mon 14 API calls 14107 dbb361 14105->14107 14109 dbb485 __Getctype 11 API calls 14106->14109 14110 dbe4f7 ___free_lconv_mon 14 API calls 14107->14110 14108->14104 14111 dbb37b 14109->14111 14110->14112 14112->14051 14114 dbe849 14113->14114 14115 dbe84f 14113->14115 14116 dbf19b _unexpected 6 API calls 14114->14116 14117 dbf1da _unexpected 6 API calls 14115->14117 14135 dbe855 14115->14135 14116->14115 14118 dbe869 14117->14118 14120 dbf807 _unexpected 14 API calls 14118->14120 14118->14135 14119 dbb9c2 CallUnexpected 39 API calls 14121 dbe8d3 14119->14121 14123 dbe879 14120->14123 14122 dbe85a 14138 dc040d 14122->14138 14124 dbe881 14123->14124 14125 dbe896 14123->14125 14127 dbf1da _unexpected 6 API calls 14124->14127 14126 dbf1da _unexpected 6 API calls 14125->14126 14128 dbe8a2 14126->14128 14129 dbe88d 14127->14129 14130 dbe8a6 14128->14130 14131 dbe8b5 14128->14131 14132 dbe4f7 ___free_lconv_mon 14 API calls 14129->14132 14133 dbf1da _unexpected 6 API calls 14130->14133 14134 dbea94 _unexpected 14 API calls 14131->14134 14132->14135 14133->14129 14136 dbe8c0 14134->14136 14135->14119 14135->14122 14137 dbe4f7 ___free_lconv_mon 14 API calls 14136->14137 14137->14122 14139 dc0437 14138->14139 14160 dc0299 14139->14160 14144 dc0469 14146 dbe4f7 ___free_lconv_mon 14 API calls 14144->14146 14145 dc0477 14174 dc0094 14145->14174 14148 dc0450 14146->14148 14148->14066 14150 dc04af 14151 dbad6d __strnicoll 14 API calls 14150->14151 14153 dc04b4 14151->14153 14152 dc04f6 14155 dc053f 14152->14155 14185 dc07c8 14152->14185 14156 dbe4f7 ___free_lconv_mon 14 API calls 14153->14156 14154 dc04ca 14154->14152 14157 dbe4f7 ___free_lconv_mon 14 API calls 14154->14157 14159 dbe4f7 ___free_lconv_mon 14 API calls 14155->14159 14156->14148 14157->14152 14159->14148 14193 db7e1a 14160->14193 14163 dc02cc 14165 dc02e3 14163->14165 14166 dc02d1 GetACP 14163->14166 14164 dc02ba GetOEMCP 14164->14165 14165->14148 14167 dbe531 14165->14167 14166->14165 14168 dbe56f 14167->14168 14172 dbe53f _unexpected 14167->14172 14170 dbad6d __strnicoll 14 API calls 14168->14170 14169 dbe55a RtlAllocateHeap 14171 dbe56d 14169->14171 14169->14172 14170->14171 14171->14144 14171->14145 14172->14168 14172->14169 14173 db8f08 std::ios_base::_Init 2 API calls 14172->14173 14173->14172 14175 dc0299 41 API calls 14174->14175 14176 dc00b4 14175->14176 14177 dc01b9 14176->14177 14179 dc00f1 IsValidCodePage 14176->14179 14183 dc010c __fread_nolock 14176->14183 14178 db29c6 CatchGuardHandler 5 API calls 14177->14178 14180 dc0297 14178->14180 14179->14177 14181 dc0103 14179->14181 14180->14150 14180->14154 14182 dc012c GetCPInfo 14181->14182 14181->14183 14182->14177 14182->14183 14233 dc0623 14183->14233 14186 dc07d4 ___scrt_is_nonwritable_in_current_image 14185->14186 14313 dbb750 EnterCriticalSection 14186->14313 14188 dc07de 14314 dc0562 14188->14314 14194 db7e38 14193->14194 14200 db7e31 14193->14200 14195 dbe783 _unexpected 39 API calls 14194->14195 14194->14200 14196 db7e59 14195->14196 14201 dbed66 14196->14201 14200->14163 14200->14164 14202 dbed79 14201->14202 14203 db7e6f 14201->14203 14202->14203 14209 dc2046 14202->14209 14205 dbed93 14203->14205 14206 dbedbb 14205->14206 14207 dbeda6 14205->14207 14206->14200 14207->14206 14230 dc0039 14207->14230 14210 dc2052 ___scrt_is_nonwritable_in_current_image 14209->14210 14211 dbe783 _unexpected 39 API calls 14210->14211 14212 dc205b 14211->14212 14213 dc20a1 14212->14213 14222 dbb750 EnterCriticalSection 14212->14222 14213->14203 14215 dc2079 14223 dc20c7 14215->14223 14220 dbb9c2 CallUnexpected 39 API calls 14221 dc20c6 14220->14221 14222->14215 14224 dc20d5 __Getctype 14223->14224 14226 dc208a 14223->14226 14225 dc1e7b __Getctype 14 API calls 14224->14225 14224->14226 14225->14226 14227 dc20a6 14226->14227 14228 dbb767 std::_Lockit::~_Lockit LeaveCriticalSection 14227->14228 14229 dc209d 14228->14229 14229->14213 14229->14220 14231 dbe783 _unexpected 39 API calls 14230->14231 14232 dc003e 14231->14232 14232->14206 14234 dc064b GetCPInfo 14233->14234 14235 dc0714 14233->14235 14234->14235 14241 dc0663 14234->14241 14237 db29c6 CatchGuardHandler 5 API calls 14235->14237 14239 dc07c6 14237->14239 14239->14177 14244 dbfaf3 14241->14244 14245 db7e1a __strnicoll 39 API calls 14244->14245 14246 dbfb13 14245->14246 14264 dbe57f 14246->14264 14248 dbfbcf 14250 db29c6 CatchGuardHandler 5 API calls 14248->14250 14249 dbfbc7 14267 db54a7 14249->14267 14253 dbfbf2 14250->14253 14251 dbfb40 14251->14248 14251->14249 14252 dbe531 __fread_nolock 15 API calls 14251->14252 14255 dbfb65 __fread_nolock __alloca_probe_16 14251->14255 14252->14255 14259 dbfbf4 14253->14259 14255->14249 14256 dbe57f __strnicoll MultiByteToWideChar 14255->14256 14257 dbfbae 14256->14257 14257->14249 14258 dbfbb5 GetStringTypeW 14257->14258 14258->14249 14260 db7e1a __strnicoll 39 API calls 14259->14260 14271 dbe5a9 14264->14271 14268 db54c2 14267->14268 14269 db54b1 14267->14269 14268->14248 14269->14268 14273 dbc522 14269->14273 14272 dbe59b MultiByteToWideChar 14271->14272 14272->14251 14274 dbe4f7 ___free_lconv_mon 14 API calls 14273->14274 14313->14188 14324 dbc20e 14314->14324 14316 dc0584 14317 dbc20e __fread_nolock 29 API calls 14316->14317 14318 dc05a3 14317->14318 14319 dc05ca 14318->14319 14320 dbe4f7 ___free_lconv_mon 14 API calls 14318->14320 14320->14319 14325 dbc21f 14324->14325 14332 dbc21b _Yarn 14324->14332 14326 dbc226 14325->14326 14329 dbc239 __fread_nolock 14325->14329 14327 dbad6d __strnicoll 14 API calls 14326->14327 14328 dbc22b 14327->14328 14331 dbc267 14329->14331 14329->14332 14334 dbc270 14329->14334 14333 dbad6d __strnicoll 14 API calls 14331->14333 14332->14316 14335 dbc26c 14333->14335 14334->14332 14336 dbad6d __strnicoll 14 API calls 14334->14336 14336->14335 14340 dbe188 14339->14340 14341 dbe17a 14339->14341 14342 dbad6d __strnicoll 14 API calls 14340->14342 14341->14340 14346 dbe1a0 14341->14346 14343 dbe190 14342->14343 14344 dbb458 __strnicoll 29 API calls 14343->14344 14345 dbe19a 14344->14345 14345->14104 14346->14345 14347 dbad6d __strnicoll 14 API calls 14346->14347 14347->14343 14349 dbb269 14348->14349 14350 dbb24c 14348->14350 14349->14105 14351 dbb263 14350->14351 14352 dbe4f7 ___free_lconv_mon 14 API calls 14350->14352 14353 dbe4f7 ___free_lconv_mon 14 API calls 14351->14353 14352->14350 14353->14349 14355 dc4931 14354->14355 14356 dc4942 14355->14356 14360 dc4955 ___from_strstr_to_strchr 14355->14360 14357 dbad6d __strnicoll 14 API calls 14356->14357 14358 dc4947 14357->14358 14358->14059 14359 dc4b6c 14362 dbad6d __strnicoll 14 API calls 14359->14362 14360->14359 14361 dc4975 14360->14361 14417 dc4b91 14361->14417 14364 dc4b71 14362->14364 14366 dbe4f7 ___free_lconv_mon 14 API calls 14364->14366 14366->14358 14367 dc49bb 14371 dbf807 _unexpected 14 API calls 14367->14371 14384 dc49a5 14367->14384 14369 dc4997 14377 dc49b4 14369->14377 14378 dc49a0 14369->14378 14374 dc49c9 14371->14374 14372 dbe4f7 ___free_lconv_mon 14 API calls 14372->14358 14373 dc4a79 14373->14384 14385 dc3f46 std::ios_base::_Init 32 API calls 14373->14385 14376 dbe4f7 ___free_lconv_mon 14 API calls 14374->14376 14375 dc4a2e 14380 dbe4f7 ___free_lconv_mon 14 API calls 14375->14380 14383 dc49d4 14376->14383 14379 dc4b91 39 API calls 14377->14379 14381 dbad6d __strnicoll 14 API calls 14378->14381 14382 dc49b9 14379->14382 14389 dc4a36 14380->14389 14381->14384 14382->14384 14421 dc4bab 14382->14421 14383->14382 14383->14384 14387 dbf807 _unexpected 14 API calls 14383->14387 14384->14372 14386 dc4aa7 14385->14386 14388 dbe4f7 ___free_lconv_mon 14 API calls 14386->14388 14391 dc49f0 14387->14391 14394 dc4a63 14388->14394 14389->14394 14425 dc3f46 14389->14425 14390 dc4b61 14392 dbe4f7 ___free_lconv_mon 14 API calls 14390->14392 14395 dbe4f7 ___free_lconv_mon 14 API calls 14391->14395 14392->14358 14394->14384 14394->14390 14394->14394 14398 dbf807 _unexpected 14 API calls 14394->14398 14395->14382 14396 dc4a5a 14397 dbe4f7 ___free_lconv_mon 14 API calls 14396->14397 14397->14394 14399 dc4af2 14398->14399 14400 dc4afa 14399->14400 14401 dc4b02 14399->14401 14402 dbe4f7 ___free_lconv_mon 14 API calls 14400->14402 14403 dbe16c std::exception::exception 29 API calls 14401->14403 14402->14384 14404 dc4b0e 14403->14404 14405 dc4b15 14404->14405 14406 dc4b86 14404->14406 14434 dc9a5c 14405->14434 14407 dbb485 __Getctype 11 API calls 14406->14407 14409 dc4b90 14407->14409 14411 dc4b3c 14414 dbad6d __strnicoll 14 API calls 14411->14414 14412 dc4b5b 14413 dbe4f7 ___free_lconv_mon 14 API calls 14412->14413 14413->14390 14418 dc4b9e 14417->14418 14419 dc4980 14417->14419 14449 dc4c00 14418->14449 14419->14367 14419->14369 14419->14382 14422 dc4a1e 14421->14422 14424 dc4bc1 14421->14424 14422->14373 14422->14375 14424->14422 14464 dc996b 14424->14464 14426 dc3f6e 14425->14426 14427 dc3f53 14425->14427 14428 dc3f7d 14426->14428 14564 dc9604 14426->14564 14427->14426 14429 dc3f5f 14427->14429 14571 dc757c 14428->14571 14431 dbad6d __strnicoll 14 API calls 14429->14431 14433 dc3f64 __fread_nolock 14431->14433 14433->14396 14583 dbf7c8 14434->14583 14439 dc9acf 14442 dbe4f7 ___free_lconv_mon 14 API calls 14439->14442 14444 dc9adb 14439->14444 14440 dbf7c8 39 API calls 14441 dc9aac 14440->14441 14445 db7f14 17 API calls 14441->14445 14442->14444 14443 dc4b36 14443->14411 14443->14412 14444->14443 14446 dbe4f7 ___free_lconv_mon 14 API calls 14444->14446 14447 dc9ab9 14445->14447 14446->14443 14447->14439 14448 dc9ac3 SetEnvironmentVariableW 14447->14448 14448->14439 14450 dc4c0e 14449->14450 14451 dc4c13 14449->14451 14450->14419 14452 dbf807 _unexpected 14 API calls 14451->14452 14458 dc4c30 14452->14458 14453 dc4c9e 14454 dbb9c2 CallUnexpected 39 API calls 14453->14454 14456 dc4ca3 14454->14456 14455 dbe4f7 ___free_lconv_mon 14 API calls 14455->14450 14457 dbb485 __Getctype 11 API calls 14456->14457 14459 dc4caf 14457->14459 14458->14453 14458->14456 14460 dbf807 _unexpected 14 API calls 14458->14460 14461 dbe4f7 ___free_lconv_mon 14 API calls 14458->14461 14462 dbe16c std::exception::exception 29 API calls 14458->14462 14463 dc4c8d 14458->14463 14460->14458 14461->14458 14462->14458 14463->14455 14465 dc997f 14464->14465 14466 dc9979 14464->14466 14482 dc9994 14465->14482 14469 dca0fb 14466->14469 14470 dca0b3 14466->14470 14502 dca111 14469->14502 14472 dca0b9 14470->14472 14475 dca0d6 14470->14475 14474 dbad6d __strnicoll 14 API calls 14472->14474 14473 dca0c9 14473->14424 14476 dca0be 14474->14476 14477 dbad6d __strnicoll 14 API calls 14475->14477 14481 dca0f4 14475->14481 14478 dbb458 __strnicoll 29 API calls 14476->14478 14479 dca0e5 14477->14479 14478->14473 14480 dbb458 __strnicoll 29 API calls 14479->14480 14480->14473 14481->14424 14483 db7e1a __strnicoll 39 API calls 14482->14483 14484 dc99aa 14483->14484 14485 dc998f 14484->14485 14486 dc99c6 14484->14486 14488 dc99dd 14484->14488 14485->14424 14487 dbad6d __strnicoll 14 API calls 14486->14487 14489 dc99cb 14487->14489 14490 dc99f8 14488->14490 14491 dc99e6 14488->14491 14492 dbb458 __strnicoll 29 API calls 14489->14492 14494 dc9a18 14490->14494 14495 dc9a05 14490->14495 14493 dbad6d __strnicoll 14 API calls 14491->14493 14492->14485 14496 dc99eb 14493->14496 14520 dca1dc 14494->14520 14497 dca111 __strnicoll 39 API calls 14495->14497 14500 dbb458 __strnicoll 29 API calls 14496->14500 14497->14485 14500->14485 14501 dbad6d __strnicoll 14 API calls 14501->14485 14503 dca13b 14502->14503 14504 dca121 14502->14504 14506 dca15a 14503->14506 14507 dca143 14503->14507 14505 dbad6d __strnicoll 14 API calls 14504->14505 14508 dca126 14505->14508 14510 dca17d 14506->14510 14511 dca166 14506->14511 14509 dbad6d __strnicoll 14 API calls 14507->14509 14512 dbb458 __strnicoll 29 API calls 14508->14512 14513 dca148 14509->14513 14515 db7e1a __strnicoll 39 API calls 14510->14515 14519 dca131 14510->14519 14514 dbad6d __strnicoll 14 API calls 14511->14514 14512->14519 14516 dbb458 __strnicoll 29 API calls 14513->14516 14517 dca16b 14514->14517 14515->14519 14516->14519 14518 dbb458 __strnicoll 29 API calls 14517->14518 14518->14519 14519->14473 14521 db7e1a __strnicoll 39 API calls 14520->14521 14522 dca1ef 14521->14522 14525 dca222 14522->14525 14530 dca256 __strnicoll 14525->14530 14526 db29c6 CatchGuardHandler 5 API calls 14527 dc9a2e 14526->14527 14527->14485 14527->14501 14528 dca2d6 14531 dbe57f __strnicoll MultiByteToWideChar 14528->14531 14537 dca2da 14528->14537 14529 dca4ba 14530->14528 14530->14529 14532 dca2c3 GetCPInfo 14530->14532 14530->14537 14534 dca35c 14531->14534 14532->14528 14532->14537 14533 dca4ae 14535 db54a7 __freea 14 API calls 14533->14535 14534->14533 14536 dbe531 __fread_nolock 15 API calls 14534->14536 14534->14537 14538 dca383 __alloca_probe_16 14534->14538 14535->14537 14536->14538 14537->14526 14537->14529 14538->14533 14539 dbe57f __strnicoll MultiByteToWideChar 14538->14539 14540 dca3cf 14539->14540 14540->14533 14541 dbe57f __strnicoll MultiByteToWideChar 14540->14541 14542 dca3eb 14541->14542 14542->14533 14543 dca3f9 14542->14543 14544 dca45c 14543->14544 14545 dbe531 __fread_nolock 15 API calls 14543->14545 14548 dca412 __alloca_probe_16 14543->14548 14546 db54a7 __freea 14 API calls 14544->14546 14545->14548 14547 dca462 14546->14547 14548->14544 14550 dbe57f __strnicoll MultiByteToWideChar 14548->14550 14565 dc960f 14564->14565 14566 dc9624 HeapSize 14564->14566 14567 dbad6d __strnicoll 14 API calls 14565->14567 14566->14428 14568 dc9614 14567->14568 14569 dbb458 __strnicoll 29 API calls 14568->14569 14570 dc961f 14569->14570 14570->14428 14572 dc7589 14571->14572 14573 dc7594 14571->14573 14575 dbe531 __fread_nolock 15 API calls 14572->14575 14574 dc759c 14573->14574 14582 dc75a5 _unexpected 14573->14582 14576 dbe4f7 ___free_lconv_mon 14 API calls 14574->14576 14580 dc7591 14575->14580 14576->14580 14577 dc75cf HeapReAlloc 14577->14580 14577->14582 14578 dc75aa 14579 dbad6d __strnicoll 14 API calls 14578->14579 14579->14580 14580->14433 14581 db8f08 std::ios_base::_Init 2 API calls 14581->14582 14582->14577 14582->14578 14582->14581 14584 db7e1a __strnicoll 39 API calls 14583->14584 14585 dbf7da 14584->14585 14586 dbf7ec 14585->14586 14591 dbf04d 14585->14591 14588 db7f14 14586->14588 14597 db7f6c 14588->14597 14594 dbf5b9 14591->14594 14595 dbf534 std::_Lockit::_Lockit 5 API calls 14594->14595 14596 dbf055 14595->14596 14596->14586 14598 db7f7a 14597->14598 14599 db7f94 14597->14599 14615 db7efa 14598->14615 14600 db7f9b 14599->14600 14601 db7fba 14599->14601 14614 db7f2c 14600->14614 14619 db7ebb 14600->14619 14603 dbe57f __strnicoll MultiByteToWideChar 14601->14603 14605 db7fc9 14603->14605 14606 db7fd0 GetLastError 14605->14606 14608 db7ff6 14605->14608 14611 db7ebb 15 API calls 14605->14611 14624 dbad93 14606->14624 14609 dbe57f __strnicoll MultiByteToWideChar 14608->14609 14608->14614 14612 db800d 14609->14612 14611->14608 14612->14606 14612->14614 14614->14439 14614->14440 14616 db7f05 14615->14616 14618 db7f0d 14615->14618 14617 dbe4f7 ___free_lconv_mon 14 API calls 14616->14617 14617->14618 14618->14614 14620 db7efa 14 API calls 14619->14620 14621 db7ec9 14620->14621 14629 db7e9c 14621->14629 14632 dbad80 14624->14632 14630 dbe531 __fread_nolock 15 API calls 14629->14630 14631 db7ea9 14630->14631 14631->14614 14633 dbe8d4 __dosmaperr 14 API calls 14632->14633 14636 db29c6 CatchGuardHandler 5 API calls 14635->14636 14637 db58ca 14636->14637 14637->13556 14639 db8d4e 14638->14639 14640 db8d5f 14638->14640 14642 db4fcd __CreateFrameInfo GetModuleHandleW 14639->14642 14654 db8ebb 14640->14654 14644 db8d53 14642->14644 14644->14640 14649 db8c55 GetModuleHandleExW 14644->14649 14645 db8c0d 14645->13527 14650 db8ca8 14649->14650 14651 db8c94 GetProcAddress 14649->14651 14652 db8cbb FreeLibrary 14650->14652 14653 db8cc4 14650->14653 14651->14650 14652->14653 14653->14640 14655 db8ec7 ___scrt_is_nonwritable_in_current_image 14654->14655 14669 dbb750 EnterCriticalSection 14655->14669 14657 db8ed1 14670 db8db8 14657->14670 14659 db8ede 14674 db8efc 14659->14674 14662 db8cf0 14699 db8cd7 14662->14699 14664 db8cfa 14665 db8d0e 14664->14665 14666 db8cfe GetCurrentProcess TerminateProcess 14664->14666 14667 db8c55 __CreateFrameInfo 3 API calls 14665->14667 14666->14665 14668 db8d16 ExitProcess 14667->14668 14669->14657 14671 db8dc4 ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 14670->14671 14673 db8e28 __CreateFrameInfo 14671->14673 14677 dbaa87 14671->14677 14673->14659 14698 dbb767 LeaveCriticalSection 14674->14698 14676 db8d97 14676->14645 14676->14662 14678 dbaa93 __EH_prolog3 14677->14678 14681 dbad12 14678->14681 14680 dbaaba std::ios_base::_Init 14680->14673 14682 dbad1e ___scrt_is_nonwritable_in_current_image 14681->14682 14689 dbb750 EnterCriticalSection 14682->14689 14684 dbad2c 14690 dbabdd 14684->14690 14689->14684 14691 dbabfc 14690->14691 14692 dbabf4 14690->14692 14691->14692 14693 dbe4f7 ___free_lconv_mon 14 API calls 14691->14693 14694 dbad61 14692->14694 14693->14692 14697 dbb767 LeaveCriticalSection 14694->14697 14696 dbad4a 14696->14680 14697->14696 14698->14676 14702 dc0f55 14699->14702 14701 db8cdc __CreateFrameInfo 14701->14664 14703 dc0f64 __CreateFrameInfo 14702->14703 14704 dc0f71 14703->14704 14706 dbf3e7 14703->14706 14704->14701 14707 dbf534 std::_Lockit::_Lockit 5 API calls 14706->14707 14708 dbf403 14707->14708 14708->14704 14710 db86a9 ___scrt_uninitialize_crt 14709->14710 14711 db8697 14709->14711 14710->13564 14712 db86a5 14711->14712 14714 dbbbb9 14711->14714 14712->13564 14717 dbbce4 14714->14717 14720 dbbdbd 14717->14720 14721 dbbdc9 ___scrt_is_nonwritable_in_current_image 14720->14721 14728 dbb750 EnterCriticalSection 14721->14728 14723 dbbe3f 14737 dbbe5d 14723->14737 14726 dbbdd3 ___scrt_uninitialize_crt 14726->14723 14729 dbbd31 14726->14729 14728->14726 14730 dbbd3d ___scrt_is_nonwritable_in_current_image 14729->14730 14740 db875f EnterCriticalSection 14730->14740 14732 dbbd47 ___scrt_uninitialize_crt 14736 dbbd80 14732->14736 14741 dbbbc2 14732->14741 14752 dbbdb1 14736->14752 14853 dbb767 LeaveCriticalSection 14737->14853 14739 dbbbc0 14739->14712 14740->14732 14742 dbbbd7 _Fputc 14741->14742 14743 dbbbe9 14742->14743 14744 dbbbde 14742->14744 14755 dbbc27 14743->14755 14745 dbbce4 ___scrt_uninitialize_crt 68 API calls 14744->14745 14748 dbbbe4 _Fputc 14745->14748 14748->14736 14750 dbbc0a 14768 dc5164 14750->14768 14852 db8773 LeaveCriticalSection 14752->14852 14754 dbbd9f 14754->14726 14756 dbbbf3 14755->14756 14757 dbbc40 14755->14757 14756->14748 14761 dc0efc 14756->14761 14757->14756 14758 dc0efc __fread_nolock 29 API calls 14757->14758 14759 dbbc5c 14758->14759 14779 dc549f 14759->14779 14762 dc0f1d 14761->14762 14763 dc0f08 14761->14763 14762->14750 14764 dbad6d __strnicoll 14 API calls 14763->14764 14765 dc0f0d 14764->14765 14766 dbb458 __strnicoll 29 API calls 14765->14766 14767 dc0f18 14766->14767 14767->14750 14769 dc5175 14768->14769 14770 dc5182 14768->14770 14771 dbad6d __strnicoll 14 API calls 14769->14771 14772 dc51cb 14770->14772 14774 dc51a9 14770->14774 14776 dc517a 14771->14776 14773 dbad6d __strnicoll 14 API calls 14772->14773 14775 dc51d0 14773->14775 14822 dc51e1 14774->14822 14778 dbb458 __strnicoll 29 API calls 14775->14778 14776->14748 14778->14776 14781 dc54ab ___scrt_is_nonwritable_in_current_image 14779->14781 14780 dc54b3 14780->14756 14781->14780 14782 dc54ec 14781->14782 14784 dc5532 14781->14784 14783 dbb601 _Fputc 29 API calls 14782->14783 14783->14780 14790 dc4ef9 EnterCriticalSection 14784->14790 14786 dc5538 14788 dc5556 14786->14788 14791 dc5283 14786->14791 14819 dc55a8 14788->14819 14790->14786 14792 dc52ab 14791->14792 14818 dc52ce __fread_nolock 14791->14818 14793 dc52af 14792->14793 14795 dc530a 14792->14795 14794 dbb601 _Fputc 29 API calls 14793->14794 14794->14818 14796 dc5328 14795->14796 14797 dc4033 _Fputc 31 API calls 14795->14797 14798 dc55b0 _Fputc 40 API calls 14796->14798 14797->14796 14799 dc533a 14798->14799 14818->14788 14820 dc4f1c __fread_nolock LeaveCriticalSection 14819->14820 14821 dc55ae 14820->14821 14821->14780 14823 dc51ed ___scrt_is_nonwritable_in_current_image 14822->14823 14835 dc4ef9 EnterCriticalSection 14823->14835 14825 dc51fc 14833 dc5241 14825->14833 14836 dc4cb0 14825->14836 14826 dbad6d __strnicoll 14 API calls 14828 dc5248 14826->14828 14833->14826 14835->14825 14837 dc4cbd 14836->14837 14838 dc4cd2 14836->14838 14839 dbad80 __dosmaperr 14 API calls 14837->14839 14852->14754 14853->14739 13496 dd519e 13503 dd51d4 13496->13503 13497 dd5321 GetPEB 13498 dd5333 CreateProcessW VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 13497->13498 13499 dd53da WriteProcessMemory 13498->13499 13498->13503 13500 dd541f 13499->13500 13501 dd5424 WriteProcessMemory 13500->13501 13502 dd5461 WriteProcessMemory Wow64SetThreadContext ResumeThread 13500->13502 13501->13500 13503->13497 13503->13498 15847 db42bc 15848 db42c8 15847->15848 15852 db42ff 15848->15852 15853 dbcc2c 15848->15853 15850 db42ec 15851 db4362 29 API calls 15850->15851 15850->15852 15851->15852 15854 dbcc3f _Fputc 15853->15854 15857 dbcc99 15854->15857 15856 dbcc54 _Fputc 15856->15850 15858 dbccab 15857->15858 15860 dbccce 15857->15860 15859 dbb601 _Fputc 29 API calls 15858->15859 15861 dbccc6 15859->15861 15860->15858 15862 dbccf5 15860->15862 15861->15856 15865 dbcdcf 15862->15865 15866 dbcddb ___scrt_is_nonwritable_in_current_image 15865->15866 15873 db875f EnterCriticalSection 15866->15873 15868 dbcde9 15874 dbcd2f 15868->15874 15870 dbcdf6 15883 dbce1e 15870->15883 15873->15868 15875 dbbc27 ___scrt_uninitialize_crt 64 API calls 15874->15875 15876 dbcd4a 15875->15876 15886 dc0d89 15876->15886 15879 dbf807 _unexpected 14 API calls 15880 dbcd93 15879->15880 15881 dbe4f7 ___free_lconv_mon 14 API calls 15880->15881 15882 dbcd6f 15881->15882 15882->15870 15890 db8773 LeaveCriticalSection 15883->15890 15885 dbcd2d 15885->15856 15887 dbcd54 15886->15887 15888 dc0da0 15886->15888 15887->15879 15887->15882 15888->15887 15889 dbe4f7 ___free_lconv_mon 14 API calls 15888->15889 15889->15887 15890->15885 17253 db3fa3 17254 db3fb9 _Yarn 17253->17254 17255 db3fbf 17254->17255 17256 db4065 17254->17256 17259 dbc32c 17254->17259 17256->17255 17258 dbc32c __fread_nolock 45 API calls 17256->17258 17258->17255 17262 dbc28f 17259->17262 17264 dbc29b ___scrt_is_nonwritable_in_current_image 17262->17264 17263 dbc2d3 17263->17254 17264->17263 17265 dbc2ae __fread_nolock 17264->17265 17266 dbc2e5 17264->17266 17269 dbad6d __strnicoll 14 API calls 17265->17269 17275 db875f EnterCriticalSection 17266->17275 17268 dbc2ef 17276 dbc349 17268->17276 17270 dbc2c8 17269->17270 17272 dbb458 __strnicoll 29 API calls 17270->17272 17272->17263 17275->17268 17279 dbc35b __fread_nolock 17276->17279 17282 dbc306 17276->17282 17277 dbc368 17278 dbad6d __strnicoll 14 API calls 17277->17278 17288 dbc36d 17278->17288 17279->17277 17279->17282 17287 dbc3b9 17279->17287 17280 dbb458 __strnicoll 29 API calls 17280->17282 17281 dc5d52 __fread_nolock 43 API calls 17281->17287 17290 dbc324 17282->17290 17283 dbc4e4 __fread_nolock 17286 dbad6d __strnicoll 14 API calls 17283->17286 17284 dbc20e __fread_nolock 29 API calls 17284->17287 17285 dc0efc __fread_nolock 29 API calls 17285->17287 17286->17288 17287->17281 17287->17282 17287->17283 17287->17284 17287->17285 17289 dc625d __fread_nolock 41 API calls 17287->17289 17288->17280 17289->17287 17293 db8773 LeaveCriticalSection 17290->17293 17292 dbc32a 17292->17263 17293->17292 15908 db884f 15909 dbbbb9 ___scrt_uninitialize_crt 68 API calls 15908->15909 15910 db8857 15909->15910 15918 dc0cde 15910->15918 15912 db885c 15913 dc0d89 14 API calls 15912->15913 15914 db886b DeleteCriticalSection 15913->15914 15914->15912 15915 db8886 15914->15915 15916 dbe4f7 ___free_lconv_mon 14 API calls 15915->15916 15917 db8891 15916->15917 15919 dc0cea ___scrt_is_nonwritable_in_current_image 15918->15919 15928 dbb750 EnterCriticalSection 15919->15928 15921 dc0cf5 15922 dc0d61 15921->15922 15924 dc0d35 DeleteCriticalSection 15921->15924 15929 dbba11 15921->15929 15933 dc0d80 15922->15933 15927 dbe4f7 ___free_lconv_mon 14 API calls 15924->15927 15927->15921 15928->15921 15930 dbba24 _Fputc 15929->15930 15936 dbbacf 15930->15936 15932 dbba30 _Fputc 15932->15921 16008 dbb767 LeaveCriticalSection 15933->16008 15935 dc0d6d 15935->15912 15937 dbbadb ___scrt_is_nonwritable_in_current_image 15936->15937 15938 dbbb08 15937->15938 15939 dbbae5 15937->15939 15946 dbbb00 15938->15946 15947 db875f EnterCriticalSection 15938->15947 15940 dbb601 _Fputc 29 API calls 15939->15940 15940->15946 15942 dbbb26 15948 dbba41 15942->15948 15944 dbbb33 15962 dbbb5e 15944->15962 15946->15932 15947->15942 15949 dbba4e 15948->15949 15950 dbba71 15948->15950 15951 dbb601 _Fputc 29 API calls 15949->15951 15952 dbbc27 ___scrt_uninitialize_crt 64 API calls 15950->15952 15960 dbba69 15950->15960 15951->15960 15953 dbba89 15952->15953 15954 dc0d89 14 API calls 15953->15954 15955 dbba91 15954->15955 15956 dc0efc __fread_nolock 29 API calls 15955->15956 15957 dbba9d 15956->15957 15965 dc4ff5 15957->15965 15960->15944 15961 dbe4f7 ___free_lconv_mon 14 API calls 15961->15960 16007 db8773 LeaveCriticalSection 15962->16007 15964 dbbb64 15964->15946 15967 dc501e 15965->15967 15971 dbbaa4 15965->15971 15966 dc506d 15968 dbb601 _Fputc 29 API calls 15966->15968 15967->15966 15969 dc5045 15967->15969 15968->15971 15972 dc5098 15969->15972 15971->15960 15971->15961 15973 dc50a4 ___scrt_is_nonwritable_in_current_image 15972->15973 15980 dc4ef9 EnterCriticalSection 15973->15980 15975 dc50b2 15977 dc50e3 15975->15977 15981 dc4f55 15975->15981 15994 dc511d 15977->15994 15980->15975 15982 dc4cb0 __fread_nolock 29 API calls 15981->15982 15985 dc4f65 15982->15985 15983 dc4f6b 15997 dc4d1a 15983->15997 15985->15983 15986 dc4f9d 15985->15986 15988 dc4cb0 __fread_nolock 29 API calls 15985->15988 15986->15983 15987 dc4cb0 __fread_nolock 29 API calls 15986->15987 15989 dc4fa9 CloseHandle 15987->15989 15990 dc4f94 15988->15990 15989->15983 15991 dc4fb5 GetLastError 15989->15991 15992 dc4cb0 __fread_nolock 29 API calls 15990->15992 15991->15983 15992->15986 15993 dc4fc3 __fread_nolock 15993->15977 16006 dc4f1c LeaveCriticalSection 15994->16006 15996 dc5106 15996->15971 15998 dc4d29 15997->15998 15999 dc4d90 15997->15999 15998->15999 16005 dc4d53 15998->16005 16000 dbad6d __strnicoll 14 API calls 15999->16000 16001 dc4d95 16000->16001 16002 dbad80 __dosmaperr 14 API calls 16001->16002 16003 dc4d80 16002->16003 16003->15993 16004 dc4d7a SetStdHandle 16004->16003 16005->16003 16005->16004 16006->15996 16007->15964 16008->15935 17511 db416b 17512 db417f 17511->17512 17513 db43df 69 API calls 17512->17513 17518 db41da 17512->17518 17514 db41aa 17513->17514 17515 db41c7 17514->17515 17516 dbae1d 67 API calls 17514->17516 17514->17518 17515->17518 17519 dbc01e 17515->17519 17516->17515 17520 dbc029 17519->17520 17521 dbc03e 17519->17521 17522 dbad6d __strnicoll 14 API calls 17520->17522 17523 dbc05b 17521->17523 17524 dbc046 17521->17524 17526 dbc02e 17522->17526 17533 dc4217 17523->17533 17527 dbad6d __strnicoll 14 API calls 17524->17527 17529 dbb458 __strnicoll 29 API calls 17526->17529 17528 dbc04b 17527->17528 17530 dbb458 __strnicoll 29 API calls 17528->17530 17532 dbc039 17529->17532 17531 dbc056 17530->17531 17531->17518 17532->17518 17534 dc422b _Fputc 17533->17534 17537 dc47c0 17534->17537 17536 dc4237 _Fputc 17536->17531 17538 dc47cc ___scrt_is_nonwritable_in_current_image 17537->17538 17539 dc47f6 17538->17539 17540 dc47d3 17538->17540 17548 db875f EnterCriticalSection 17539->17548 17541 dbb601 _Fputc 29 API calls 17540->17541 17543 dc47ec 17541->17543 17543->17536 17544 dc4804 17549 dc461f 17544->17549 17546 dc4813 17562 dc4845 17546->17562 17548->17544 17550 dc462e 17549->17550 17551 dc4656 17549->17551 17553 dbb601 _Fputc 29 API calls 17550->17553 17552 dc0efc __fread_nolock 29 API calls 17551->17552 17554 dc465f 17552->17554 17561 dc4649 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17553->17561 17555 dc4051 33 API calls 17554->17555 17556 dc467d 17555->17556 17557 dc4709 17556->17557 17559 dc4720 17556->17559 17556->17561 17558 dc42a9 34 API calls 17557->17558 17558->17561 17560 dc4454 33 API calls 17559->17560 17559->17561 17560->17561 17561->17546 17565 db8773 LeaveCriticalSection 17562->17565 17564 dc484d 17564->17543 17565->17564 14854 db1614 GetPEB 14876 db1098 14854->14876 14857 db1828 14859 db29c6 CatchGuardHandler 5 API calls 14857->14859 14858 db1680 GetFileSize 14860 db1804 CloseHandle 14858->14860 14861 db1694 14858->14861 14862 db1836 14859->14862 14860->14857 14863 db169c ReadFile 14861->14863 14864 db17fb 14863->14864 14865 db16b9 CloseHandle 14863->14865 14864->14860 14866 db17f9 14865->14866 14875 db16d0 _Yarn error_info_injector _strlen 14865->14875 14887 db155c 14866->14887 14868 db1840 14919 db1860 14868->14919 14870 db1845 14921 dbb468 14870->14921 14875->14866 14875->14868 14875->14870 14901 db186a 14875->14901 14907 db2952 14875->14907 14885 db10c1 _Yarn error_info_injector _strlen 14876->14885 14886 db120e 14876->14886 14877 db29c6 CatchGuardHandler 5 API calls 14878 db1227 CreateFileA 14877->14878 14878->14857 14878->14858 14879 db1231 14880 db1860 std::ios_base::_Init 31 API calls 14879->14880 14881 db1236 14880->14881 14882 dbb468 std::ios_base::_Init 29 API calls 14881->14882 14882->14881 14883 db186a std::ios_base::_Init 31 API calls 14883->14885 14884 db2952 std::ios_base::_Init 16 API calls 14884->14885 14885->14879 14885->14881 14885->14883 14885->14884 14885->14886 14886->14877 14888 db1098 31 API calls 14887->14888 14889 db1582 FreeConsole 14888->14889 14926 db123b 14889->14926 14892 db123b 103 API calls 14893 db15b9 14892->14893 14894 db1098 31 API calls 14893->14894 14895 db15cc VirtualProtect 14894->14895 14896 db15dd 14895->14896 14897 db15f1 ExitProcess 14895->14897 14898 db29c6 CatchGuardHandler 5 API calls 14896->14898 14899 db15e7 14898->14899 14899->14857 14902 db188b 14901->14902 14903 db1873 14901->14903 15542 db1890 14902->15542 14904 db2952 std::ios_base::_Init 16 API calls 14903->14904 14906 db187c 14904->14906 14906->14875 14910 db2957 14907->14910 14908 dbc994 _Yarn 15 API calls 14908->14910 14909 db2971 14909->14875 14910->14908 14910->14909 14911 db8f08 std::ios_base::_Init 2 API calls 14910->14911 14912 db2973 14910->14912 14911->14910 14913 db297d Concurrency::cancel_current_task 14912->14913 14914 db4a6f std::ios_base::_Init 14912->14914 14916 db5aba Concurrency::cancel_current_task RaiseException 14913->14916 14915 db5aba Concurrency::cancel_current_task RaiseException 14914->14915 14917 db4a8b 14915->14917 14918 db31cf 14916->14918 15547 db31d0 14919->15547 14922 dbb6a7 __strnicoll 29 API calls 14921->14922 14923 dbb477 14922->14923 14924 dbb485 __Getctype 11 API calls 14923->14924 14925 dbb484 14924->14925 14931 db1263 14926->14931 14927 db1355 14928 db29c6 CatchGuardHandler 5 API calls 14927->14928 14929 db1363 14928->14929 14929->14892 14931->14927 14933 db136e 14931->14933 14949 db1533 14931->14949 14934 db138d _strlen 14933->14934 14956 db197e 14934->14956 14936 db1444 14960 db408b 14936->14960 14938 db1515 14985 db1a10 14938->14985 14941 db14c0 14970 db1ab6 14941->14970 14942 db13ad 14942->14936 14942->14941 14964 db19d8 14942->14964 14944 db29c6 CatchGuardHandler 5 API calls 14946 db1529 14944->14946 14945 db1466 14945->14941 14947 db19d8 69 API calls 14945->14947 14946->14931 14947->14945 15281 db23c4 14949->15281 14954 db1a3a 40 API calls 14955 db1558 14954->14955 14955->14931 14957 db1995 14956->14957 14958 db19a6 14957->14958 14989 db1a3a 14957->14989 14958->14942 14961 db409a 14960->14961 14962 db40ad _Yarn 14960->14962 14961->14945 14962->14961 14999 dbc578 14962->14999 14965 db19e5 14964->14965 14966 db19ee 14965->14966 15073 db3c1b 14965->15073 15086 db3c29 14965->15086 15095 db3c0b 14965->15095 14966->14942 14971 db1ae9 14970->14971 14972 db1ad6 14970->14972 14973 db1af9 14971->14973 15142 db5aba 14971->15142 14974 db29c6 CatchGuardHandler 5 API calls 14972->14974 15145 db1c57 14973->15145 14975 db1ae1 14974->14975 14975->14938 14981 db5aba Concurrency::cancel_current_task RaiseException 14982 db1b3a 14981->14982 15156 db1e48 14982->15156 14986 db1a18 14985->14986 14987 db151e 14986->14987 15277 db22fe 14986->15277 14987->14944 14990 db1a5a 14989->14990 14991 db1aa2 14989->14991 14993 db197e 40 API calls 14990->14993 14992 db29c6 CatchGuardHandler 5 API calls 14991->14992 14994 db1aad 14992->14994 14997 db1a64 14993->14997 14994->14958 14995 db1a9b 14996 db1a10 40 API calls 14995->14996 14996->14991 14997->14995 14998 db1ab6 std::ios_base::_Init 40 API calls 14997->14998 14998->14995 15000 dbc58b _Fputc 14999->15000 15003 dbc759 15000->15003 15002 dbc5a0 _Fputc 15002->14961 15004 dbc78f 15003->15004 15005 dbc767 15003->15005 15004->15002 15005->15004 15006 dbc796 15005->15006 15007 dbc774 15005->15007 15011 dbc81c 15006->15011 15008 dbb601 _Fputc 29 API calls 15007->15008 15008->15004 15012 dbc828 ___scrt_is_nonwritable_in_current_image 15011->15012 15019 db875f EnterCriticalSection 15012->15019 15014 dbc836 15020 dbc7d0 15014->15020 15019->15014 15030 dc0bb7 15020->15030 15027 dbc86b 15072 db8773 LeaveCriticalSection 15027->15072 15029 dbc7ce 15029->15002 15051 dc0c62 15030->15051 15032 dc0bc8 _Fputc 15033 dbe531 __fread_nolock 15 API calls 15032->15033 15036 dbc7e8 15032->15036 15034 dc0c21 15033->15034 15035 dbe4f7 ___free_lconv_mon 14 API calls 15034->15035 15035->15036 15037 dbc5b2 15036->15037 15040 dbc5c4 15037->15040 15041 dbc5ed 15037->15041 15038 dbc5d2 15039 dbb601 _Fputc 29 API calls 15038->15039 15039->15041 15040->15038 15040->15041 15046 dbc608 _Yarn 15040->15046 15047 dc0ca0 15041->15047 15043 dbbc27 ___scrt_uninitialize_crt 64 API calls 15043->15046 15044 dc0efc __fread_nolock 29 API calls 15044->15046 15045 dc549f _Fputc 64 API calls 15045->15046 15046->15041 15046->15043 15046->15044 15046->15045 15059 dc5eec 15046->15059 15048 dc0cab 15047->15048 15049 dbc812 15047->15049 15048->15049 15050 dbbc27 ___scrt_uninitialize_crt 64 API calls 15048->15050 15049->15027 15050->15049 15054 dc0c6e _Fputc 15051->15054 15052 dc0c9c 15052->15032 15053 dc0c98 15053->15032 15054->15052 15054->15053 15055 dc0efc __fread_nolock 29 API calls 15054->15055 15056 dc0c89 15055->15056 15057 dc8994 __fread_nolock 29 API calls 15056->15057 15058 dc0c8f 15057->15058 15058->15032 15060 dc5f7c 15059->15060 15061 dc0efc __fread_nolock 29 API calls 15060->15061 15063 dc5f89 15061->15063 15062 dc5f95 15062->15046 15063->15062 15064 dc5fe1 15063->15064 15065 dc5ef7 _Fputc 31 API calls 15063->15065 15064->15062 15066 dc6043 15064->15066 15068 dc0c62 _Fputc 29 API calls 15064->15068 15065->15064 15067 dc6072 _Fputc 64 API calls 15066->15067 15069 dc6054 15067->15069 15070 dc6036 15068->15070 15069->15046 15070->15066 15071 dc7d00 __fread_nolock 14 API calls 15070->15071 15071->15066 15072->15029 15074 db3c22 15073->15074 15078 db3c6e 15073->15078 15110 db8773 LeaveCriticalSection 15074->15110 15075 db3bf9 15075->14966 15077 db3c27 15077->14966 15078->15075 15079 db3cf2 15078->15079 15080 db3cd3 15078->15080 15081 dbc578 69 API calls 15079->15081 15082 db3ce4 15079->15082 15080->15082 15107 db35da 15080->15107 15081->15082 15084 db29c6 CatchGuardHandler 5 API calls 15082->15084 15085 db3d31 15084->15085 15085->14966 15087 db3c4c 15086->15087 15088 db3c45 15086->15088 15087->15088 15092 db3cf2 15087->15092 15093 db3c92 15087->15093 15089 db29c6 CatchGuardHandler 5 API calls 15088->15089 15090 db3d31 15089->15090 15090->14966 15091 db35da _Fputc 68 API calls 15091->15088 15092->15088 15094 dbc578 69 API calls 15092->15094 15093->15088 15093->15091 15094->15088 15096 db3c12 15095->15096 15101 db3c5e 15095->15101 15141 db875f EnterCriticalSection 15096->15141 15098 db3c17 15098->14966 15099 db3c62 15100 db29c6 CatchGuardHandler 5 API calls 15099->15100 15102 db3d31 15100->15102 15101->15099 15104 db3cf2 15101->15104 15105 db3c92 15101->15105 15102->14966 15103 db35da _Fputc 68 API calls 15103->15099 15104->15099 15106 dbc578 69 API calls 15104->15106 15105->15099 15105->15103 15106->15099 15111 dbc079 15107->15111 15109 db35ea 15109->15082 15110->15077 15112 dbc08c _Fputc 15111->15112 15115 dbc0da 15112->15115 15114 dbc09b _Fputc 15114->15109 15116 dbc0e6 ___scrt_is_nonwritable_in_current_image 15115->15116 15117 dbc0ef 15116->15117 15118 dbc113 15116->15118 15119 dbb601 _Fputc 29 API calls 15117->15119 15131 db875f EnterCriticalSection 15118->15131 15130 dbc108 _Fputc 15119->15130 15121 dbc11c 15122 dc0efc __fread_nolock 29 API calls 15121->15122 15125 dbc131 15121->15125 15122->15125 15123 dbc1ce 15132 dbc0ad 15123->15132 15124 dbc19d 15126 dbb601 _Fputc 29 API calls 15124->15126 15125->15123 15125->15124 15126->15130 15128 dbc1da 15137 dbc206 15128->15137 15130->15114 15131->15121 15133 dbc0bb 15132->15133 15134 dbc0cc 15132->15134 15135 dc5eec _Fputc 66 API calls 15133->15135 15134->15128 15136 dbc0c7 15135->15136 15136->15128 15140 db8773 LeaveCriticalSection 15137->15140 15139 dbc20c 15139->15130 15140->15139 15141->15098 15143 db5b02 RaiseException 15142->15143 15144 db5ad4 15142->15144 15143->14973 15144->15143 15146 db1c7a 15145->15146 15147 db1b17 15145->15147 15173 db29d4 AcquireSRWLockExclusive 15146->15173 15153 db1b3a 15147->15153 15149 db1c84 15149->15147 15178 db2a89 15149->15178 15154 db1e48 std::ios_base::_Init 40 API calls 15153->15154 15155 db1b2f 15154->15155 15155->14981 15157 db1e75 _strlen 15156->15157 15158 db1f5e 15157->15158 15160 db1e80 15157->15160 15159 db1860 std::ios_base::_Init 31 API calls 15158->15159 15161 db1f63 15159->15161 15162 db1ec8 15160->15162 15163 db1ed0 15160->15163 15167 db1e8f _Yarn 15160->15167 15165 dbb468 std::ios_base::_Init 29 API calls 15161->15165 15166 db186a std::ios_base::_Init 31 API calls 15162->15166 15164 db2952 std::ios_base::_Init 16 API calls 15163->15164 15164->15167 15165->15161 15166->15167 15217 db1f68 15167->15217 15170 db1f30 error_info_injector 15171 db29c6 CatchGuardHandler 5 API calls 15170->15171 15172 db1b4f 15171->15172 15172->14938 15174 db29e8 15173->15174 15175 db29ed ReleaseSRWLockExclusive 15174->15175 15182 db2a74 SleepConditionVariableSRW 15174->15182 15175->15149 15183 db2a9e 15178->15183 15181 db2a23 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 15181->15147 15182->15174 15184 db2aad 15183->15184 15185 db2ab4 15183->15185 15189 dbaac5 15184->15189 15192 dbaa54 15185->15192 15188 db1c9a 15188->15181 15190 dbaa54 std::ios_base::_Init 32 API calls 15189->15190 15191 dbaad7 15190->15191 15191->15188 15195 dbacb7 15192->15195 15196 dbacc3 ___scrt_is_nonwritable_in_current_image 15195->15196 15203 dbb750 EnterCriticalSection 15196->15203 15198 dbacd1 15204 dbaadb 15198->15204 15200 dbacde 15214 dbad06 15200->15214 15203->15198 15205 dbaaf6 15204->15205 15213 dbab69 std::_Lockit::_Lockit 15204->15213 15206 dbab49 15205->15206 15207 dc3f46 std::ios_base::_Init 32 API calls 15205->15207 15205->15213 15208 dc3f46 std::ios_base::_Init 32 API calls 15206->15208 15206->15213 15210 dbab3f 15207->15210 15209 dbab5f 15208->15209 15211 dbe4f7 ___free_lconv_mon 14 API calls 15209->15211 15212 dbe4f7 ___free_lconv_mon 14 API calls 15210->15212 15211->15213 15212->15206 15213->15200 15215 dbb767 std::_Lockit::~_Lockit LeaveCriticalSection 15214->15215 15216 dbaa85 15215->15216 15216->15188 15218 db1fa0 15217->15218 15219 db1faa 15218->15219 15220 db20be 15218->15220 15222 db1fb2 _Yarn 15219->15222 15224 db1fe8 15219->15224 15225 db1ff0 15219->15225 15221 db1860 std::ios_base::_Init 31 API calls 15220->15221 15223 db20c3 15221->15223 15236 db20c8 15222->15236 15227 dbb468 std::ios_base::_Init 29 API calls 15223->15227 15228 db186a std::ios_base::_Init 31 API calls 15224->15228 15229 db2952 std::ios_base::_Init 16 API calls 15225->15229 15227->15223 15228->15222 15229->15222 15233 db2085 error_info_injector 15234 db29c6 CatchGuardHandler 5 API calls 15233->15234 15235 db1f0d 15234->15235 15235->15161 15235->15170 15237 db20ea 15236->15237 15239 db20f8 15236->15239 15255 db218a 15237->15255 15240 db218a std::ios_base::_Init 40 API calls 15239->15240 15241 db211b 15240->15241 15242 db213f error_info_injector 15241->15242 15244 db2185 15241->15244 15243 db29c6 CatchGuardHandler 5 API calls 15242->15243 15245 db2029 15243->15245 15246 dbb468 std::ios_base::_Init 29 API calls 15244->15246 15247 db6097 15245->15247 15246->15244 15248 db2059 15247->15248 15249 db60a4 15247->15249 15248->15223 15248->15233 15249->15248 15270 dbc994 15249->15270 15252 db60d1 15254 dbc522 ___vcrt_freefls@4 14 API calls 15252->15254 15253 dbe16c std::exception::exception 29 API calls 15253->15252 15254->15248 15256 db21a9 15255->15256 15262 db224f _Yarn error_info_injector 15255->15262 15257 db21b8 15256->15257 15258 db22f3 15256->15258 15259 db21e3 15257->15259 15264 db22e8 15257->15264 15268 db21e9 _Yarn 15257->15268 15260 db1860 std::ios_base::_Init 31 API calls 15258->15260 15261 db186a std::ios_base::_Init 31 API calls 15259->15261 15260->15268 15261->15268 15262->15239 15263 dbb468 std::ios_base::_Init 29 API calls 15267 db22fd 15263->15267 15265 db2952 std::ios_base::_Init 16 API calls 15264->15265 15265->15268 15266 db2339 15266->15239 15267->15266 15269 db1ab6 std::ios_base::_Init 40 API calls 15267->15269 15268->15262 15268->15263 15269->15266 15275 dbe531 _unexpected 15270->15275 15271 dbe56f 15273 dbad6d __strnicoll 14 API calls 15271->15273 15272 dbe55a RtlAllocateHeap 15274 db60c1 15272->15274 15272->15275 15273->15274 15274->15252 15274->15253 15275->15271 15275->15272 15276 db8f08 std::ios_base::_Init 2 API calls 15275->15276 15276->15275 15278 db230b 15277->15278 15279 db2339 15277->15279 15278->15279 15280 db1ab6 std::ios_base::_Init 40 API calls 15278->15280 15279->14987 15280->15279 15282 db23ea 15281->15282 15298 db242b 15282->15298 15284 db29c6 CatchGuardHandler 5 API calls 15286 db1546 15284->15286 15287 db233c 15286->15287 15288 db197e 40 API calls 15287->15288 15289 db2358 15288->15289 15290 db19d8 69 API calls 15289->15290 15291 db2372 15289->15291 15290->15291 15292 db1ab6 std::ios_base::_Init 40 API calls 15291->15292 15293 db23a7 15292->15293 15294 db1a10 40 API calls 15293->15294 15295 db23ae 15294->15295 15296 db29c6 CatchGuardHandler 5 API calls 15295->15296 15297 db1551 15296->15297 15297->14954 15315 db2cd9 15298->15315 15302 db245e 15314 db248c 15302->15314 15329 db254a 15302->15329 15305 db24a8 15307 db29c6 CatchGuardHandler 5 API calls 15305->15307 15310 db23f0 15307->15310 15308 db24bc 15354 db25d6 15308->15354 15309 db2483 15341 db2d7d 15309->15341 15310->15284 15347 db2d0a 15314->15347 15316 db2ce8 15315->15316 15318 db2cef 15315->15318 15365 dbb77e 15316->15365 15319 db244b 15318->15319 15370 db51f8 EnterCriticalSection 15318->15370 15321 db24c2 15319->15321 15322 db24d8 15321->15322 15328 db24fc 15321->15328 15324 db2cd9 std::_Lockit::_Lockit 7 API calls 15322->15324 15323 db29c6 CatchGuardHandler 5 API calls 15325 db2509 15323->15325 15326 db24e3 15324->15326 15325->15302 15327 db2d0a std::_Lockit::~_Lockit 2 API calls 15326->15327 15327->15328 15328->15323 15330 db25bf 15329->15330 15331 db2563 15329->15331 15332 db29c6 CatchGuardHandler 5 API calls 15330->15332 15331->15330 15334 db2952 std::ios_base::_Init 16 API calls 15331->15334 15333 db247b 15332->15333 15333->15308 15333->15309 15335 db2573 15334->15335 15419 db25fa 15335->15419 15342 dbc994 _Yarn 15 API calls 15341->15342 15343 db2d88 15342->15343 15344 db2d8f 15343->15344 15536 db31b3 15343->15536 15344->15314 15348 dbb78c 15347->15348 15349 db2d14 15347->15349 15541 dbb767 LeaveCriticalSection 15348->15541 15350 db2d27 15349->15350 15540 db5206 LeaveCriticalSection 15349->15540 15350->15305 15353 dbb793 15353->15305 15355 db5aba Concurrency::cancel_current_task RaiseException 15354->15355 15356 db25fa 15355->15356 15357 db2cd9 std::_Lockit::_Lockit 7 API calls 15356->15357 15358 db260b 15357->15358 15359 db2647 15358->15359 15360 db2635 15358->15360 15362 db31f0 codecvt 31 API calls 15359->15362 15361 db2dff codecvt 65 API calls 15360->15361 15363 db24c1 15361->15363 15364 db2651 15362->15364 15371 dbf432 15365->15371 15370->15319 15372 dbf5b9 std::_Lockit::_Lockit 5 API calls 15371->15372 15373 dbf437 15372->15373 15392 dbf5d3 15373->15392 15391 dbf464 15391->15391 15393 dbf534 std::_Lockit::_Lockit 5 API calls 15392->15393 15394 dbf43c 15393->15394 15395 dbf5ed 15394->15395 15396 dbf534 std::_Lockit::_Lockit 5 API calls 15395->15396 15397 dbf441 15396->15397 15398 dbf607 15397->15398 15399 dbf534 std::_Lockit::_Lockit 5 API calls 15398->15399 15400 dbf446 15399->15400 15401 dbf621 15400->15401 15402 dbf534 std::_Lockit::_Lockit 5 API calls 15401->15402 15403 dbf44b 15402->15403 15404 dbf63b 15403->15404 15405 dbf534 std::_Lockit::_Lockit 5 API calls 15404->15405 15406 dbf450 15405->15406 15407 dbf655 15406->15407 15408 dbf534 std::_Lockit::_Lockit 5 API calls 15407->15408 15409 dbf455 15408->15409 15410 dbf66f 15409->15410 15411 dbf534 std::_Lockit::_Lockit 5 API calls 15410->15411 15412 dbf45a 15411->15412 15413 dbf689 15412->15413 15414 dbf534 std::_Lockit::_Lockit 5 API calls 15413->15414 15415 dbf45f 15414->15415 15416 dbf6a3 15415->15416 15417 dbf534 std::_Lockit::_Lockit 5 API calls 15416->15417 15418 dbf6b9 15417->15418 15418->15391 15420 db2cd9 std::_Lockit::_Lockit 7 API calls 15419->15420 15421 db260b 15420->15421 15422 db2647 15421->15422 15423 db2635 15421->15423 15464 db31f0 15422->15464 15455 db2dff 15423->15455 15428 db4915 15499 db8588 15428->15499 15471 dbc99f 15455->15471 15459 db2e24 15460 db2e33 15459->15460 15461 dbc99f std::_Locinfo::_Locinfo_dtor 64 API calls 15459->15461 15462 db2e65 _Yarn 15 API calls 15460->15462 15461->15460 15463 db259b 15462->15463 15463->15428 15490 db3292 15464->15490 15467 db5aba Concurrency::cancel_current_task RaiseException 15468 db320f 15467->15468 15493 db1918 15468->15493 15472 dbf432 std::_Lockit::_Lockit 5 API calls 15471->15472 15473 dbc9ac 15472->15473 15482 dbcbd1 15473->15482 15476 db2e65 15477 db2e73 15476->15477 15481 db2e9e _Yarn 15476->15481 15478 db2e7f 15477->15478 15479 dbc522 ___vcrt_freefls@4 14 API calls 15477->15479 15480 dbc994 _Yarn 15 API calls 15478->15480 15478->15481 15479->15478 15480->15481 15481->15459 15483 dbcbdd ___scrt_is_nonwritable_in_current_image 15482->15483 15484 dbb750 std::_Lockit::_Lockit EnterCriticalSection 15483->15484 15485 dbcbeb 15484->15485 15486 dbca72 std::_Locinfo::_Locinfo_dtor 64 API calls 15485->15486 15487 dbcbf8 15486->15487 15488 dbcc20 std::_Locinfo::_Locinfo_dtor LeaveCriticalSection 15487->15488 15489 db2e0c 15488->15489 15489->15476 15496 db3155 15490->15496 15494 db6097 std::exception::exception 30 API calls 15493->15494 15495 db193a 15494->15495 15497 db6097 std::exception::exception 30 API calls 15496->15497 15498 db3181 15497->15498 15498->15467 15500 dbe783 _unexpected 39 API calls 15499->15500 15501 db8593 15500->15501 15502 dbed66 __Getctype 39 API calls 15501->15502 15537 db31c1 Concurrency::cancel_current_task 15536->15537 15538 db5aba Concurrency::cancel_current_task RaiseException 15537->15538 15539 db31cf 15538->15539 15540->15350 15541->15353 15543 db5aba Concurrency::cancel_current_task RaiseException 15542->15543 15544 db18b4 15543->15544 15545 db6097 std::exception::exception 30 API calls 15544->15545 15546 db18d6 15545->15546 15546->14902 15552 db3258 15547->15552 15550 db5aba Concurrency::cancel_current_task RaiseException 15551 db31ef 15550->15551 15553 db3155 std::exception::exception 30 API calls 15552->15553 15554 db31e1 15553->15554 15554->15550 17919 db430a 17920 db4342 17919->17920 17921 db4313 17919->17921 17921->17920 17924 dbbb66 17921->17924 17923 db4335 17925 dbbb78 17924->17925 17929 dbbb81 ___scrt_uninitialize_crt 17924->17929 17926 dbbce4 ___scrt_uninitialize_crt 68 API calls 17925->17926 17927 dbbb7e 17926->17927 17927->17923 17928 dbbb90 17928->17923 17929->17928 17932 dbbe69 17929->17932 17933 dbbe75 ___scrt_is_nonwritable_in_current_image 17932->17933 17940 db875f EnterCriticalSection 17933->17940 17935 dbbe83 17936 dbbbc2 ___scrt_uninitialize_crt 68 API calls 17935->17936 17937 dbbe94 17936->17937 17941 dbbebd 17937->17941 17940->17935 17944 db8773 LeaveCriticalSection 17941->17944 17943 dbbbb7 17943->17923 17944->17943 16423 db3e04 16424 db3e10 __EH_prolog3_GS 16423->16424 16426 db3e79 16424->16426 16427 db3e60 16424->16427 16433 db3e2a 16424->16433 16440 dbbec9 16426->16440 16437 db35ba 16427->16437 16432 db3e98 16432->16433 16434 db3f6d 16432->16434 16436 dbbec9 45 API calls 16432->16436 16460 db33ee 16432->16460 16464 db535e 16433->16464 16434->16433 16467 dbcf47 16434->16467 16436->16432 16438 dbbec9 45 API calls 16437->16438 16439 db35c5 16438->16439 16439->16433 16441 dbbed5 ___scrt_is_nonwritable_in_current_image 16440->16441 16442 dbbedf 16441->16442 16443 dbbef7 16441->16443 16444 dbad6d __strnicoll 14 API calls 16442->16444 16480 db875f EnterCriticalSection 16443->16480 16446 dbbee4 16444->16446 16448 dbb458 __strnicoll 29 API calls 16446->16448 16447 dbbf02 16449 dc0efc __fread_nolock 29 API calls 16447->16449 16450 dbbf1a 16447->16450 16459 dbbeef _Fputc 16448->16459 16449->16450 16451 dbbfaa 16450->16451 16452 dbbf82 16450->16452 16481 dbbfe2 16451->16481 16454 dbad6d __strnicoll 14 API calls 16452->16454 16456 dbbf87 16454->16456 16455 dbbfb0 16491 dbbfda 16455->16491 16457 dbb458 __strnicoll 29 API calls 16456->16457 16457->16459 16459->16432 16461 db3422 16460->16461 16463 db33fe 16460->16463 16663 db46df 16461->16663 16463->16432 16465 db29c6 CatchGuardHandler 5 API calls 16464->16465 16466 db5368 16465->16466 16466->16466 16468 dbcf53 ___scrt_is_nonwritable_in_current_image 16467->16468 16469 dbcf5a 16468->16469 16470 dbcf6f 16468->16470 16471 dbad6d __strnicoll 14 API calls 16469->16471 16678 db875f EnterCriticalSection 16470->16678 16473 dbcf5f 16471->16473 16475 dbb458 __strnicoll 29 API calls 16473->16475 16474 dbcf79 16679 dbcfba 16474->16679 16477 dbcf6a 16475->16477 16477->16434 16480->16447 16482 dbbfee 16481->16482 16483 dbc003 16481->16483 16484 dbad6d __strnicoll 14 API calls 16482->16484 16485 dbc012 16483->16485 16494 dc5d52 16483->16494 16487 dbbff3 16484->16487 16485->16455 16489 dbb458 __strnicoll 29 API calls 16487->16489 16490 dbbffe 16489->16490 16490->16455 16662 db8773 LeaveCriticalSection 16491->16662 16493 dbbfe0 16493->16459 16495 dc5d5d 16494->16495 16496 dc5d6a 16495->16496 16500 dc5d82 16495->16500 16497 dbad6d __strnicoll 14 API calls 16496->16497 16498 dc5d6f 16497->16498 16499 dbb458 __strnicoll 29 API calls 16498->16499 16509 dbc00f 16499->16509 16501 dc5de1 16500->16501 16500->16509 16515 dc7d00 16500->16515 16503 dc0efc __fread_nolock 29 API calls 16501->16503 16504 dc5dfa 16503->16504 16520 dc6144 16504->16520 16507 dc0efc __fread_nolock 29 API calls 16508 dc5e33 16507->16508 16508->16509 16510 dc0efc __fread_nolock 29 API calls 16508->16510 16509->16455 16511 dc5e41 16510->16511 16511->16509 16512 dc0efc __fread_nolock 29 API calls 16511->16512 16513 dc5e4f 16512->16513 16514 dc0efc __fread_nolock 29 API calls 16513->16514 16514->16509 16516 dbf807 _unexpected 14 API calls 16515->16516 16517 dc7d1d 16516->16517 16518 dbe4f7 ___free_lconv_mon 14 API calls 16517->16518 16519 dc7d27 16518->16519 16519->16501 16521 dc6150 ___scrt_is_nonwritable_in_current_image 16520->16521 16522 dc6158 16521->16522 16526 dc6173 16521->16526 16523 dbad80 __dosmaperr 14 API calls 16522->16523 16524 dc615d 16523->16524 16527 dbad6d __strnicoll 14 API calls 16524->16527 16525 dc618a 16528 dbad80 __dosmaperr 14 API calls 16525->16528 16526->16525 16529 dc61c5 16526->16529 16549 dc5e02 16527->16549 16530 dc618f 16528->16530 16531 dc61ce 16529->16531 16532 dc61e3 16529->16532 16534 dbad6d __strnicoll 14 API calls 16530->16534 16535 dbad80 __dosmaperr 14 API calls 16531->16535 16550 dc4ef9 EnterCriticalSection 16532->16550 16537 dc6197 16534->16537 16538 dc61d3 16535->16538 16536 dc61e9 16539 dc621d 16536->16539 16540 dc6208 16536->16540 16543 dbb458 __strnicoll 29 API calls 16537->16543 16541 dbad6d __strnicoll 14 API calls 16538->16541 16551 dc625d 16539->16551 16542 dbad6d __strnicoll 14 API calls 16540->16542 16541->16537 16545 dc620d 16542->16545 16543->16549 16547 dbad80 __dosmaperr 14 API calls 16545->16547 16546 dc6218 16614 dc6255 16546->16614 16547->16546 16549->16507 16549->16509 16550->16536 16552 dc626f 16551->16552 16553 dc6287 16551->16553 16554 dbad80 __dosmaperr 14 API calls 16552->16554 16555 dc65c9 16553->16555 16560 dc62ca 16553->16560 16556 dc6274 16554->16556 16557 dbad80 __dosmaperr 14 API calls 16555->16557 16558 dbad6d __strnicoll 14 API calls 16556->16558 16559 dc65ce 16557->16559 16561 dc627c 16558->16561 16562 dbad6d __strnicoll 14 API calls 16559->16562 16560->16561 16563 dc62d5 16560->16563 16567 dc6305 16560->16567 16561->16546 16564 dc62e2 16562->16564 16565 dbad80 __dosmaperr 14 API calls 16563->16565 16568 dbb458 __strnicoll 29 API calls 16564->16568 16566 dc62da 16565->16566 16569 dbad6d __strnicoll 14 API calls 16566->16569 16570 dc631e 16567->16570 16571 dc6359 16567->16571 16572 dc632b 16567->16572 16568->16561 16569->16564 16570->16572 16606 dc6347 16570->16606 16574 dbe531 __fread_nolock 15 API calls 16571->16574 16573 dbad80 __dosmaperr 14 API calls 16572->16573 16575 dc6330 16573->16575 16576 dc636a 16574->16576 16577 dbad6d __strnicoll 14 API calls 16575->16577 16579 dbe4f7 ___free_lconv_mon 14 API calls 16576->16579 16580 dc6337 16577->16580 16582 dc6373 16579->16582 16583 dbb458 __strnicoll 29 API calls 16580->16583 16581 dc64a5 16584 dc6519 16581->16584 16587 dc64be GetConsoleMode 16581->16587 16585 dbe4f7 ___free_lconv_mon 14 API calls 16582->16585 16613 dc6342 __fread_nolock 16583->16613 16586 dc651d ReadFile 16584->16586 16588 dc637a 16585->16588 16589 dc6535 16586->16589 16590 dc6591 GetLastError 16586->16590 16587->16584 16591 dc64cf 16587->16591 16592 dc639f 16588->16592 16593 dc6384 16588->16593 16589->16590 16596 dc650e 16589->16596 16594 dc659e 16590->16594 16595 dc64f5 16590->16595 16591->16586 16597 dc64d5 ReadConsoleW 16591->16597 16617 dc3ff3 16592->16617 16600 dbad6d __strnicoll 14 API calls 16593->16600 16601 dbad6d __strnicoll 14 API calls 16594->16601 16603 dbad93 __dosmaperr 14 API calls 16595->16603 16595->16613 16609 dc655a 16596->16609 16610 dc6571 16596->16610 16596->16613 16597->16596 16598 dc64ef GetLastError 16597->16598 16598->16595 16599 dbe4f7 ___free_lconv_mon 14 API calls 16599->16561 16604 dc6389 16600->16604 16605 dc65a3 16601->16605 16603->16613 16607 dbad80 __dosmaperr 14 API calls 16604->16607 16608 dbad80 __dosmaperr 14 API calls 16605->16608 16621 dc8994 16606->16621 16607->16613 16608->16613 16630 dc6666 16609->16630 16610->16613 16643 dc690a 16610->16643 16613->16599 16661 dc4f1c LeaveCriticalSection 16614->16661 16616 dc625b 16616->16549 16618 dc4007 _Fputc 16617->16618 16649 dc4194 16618->16649 16620 dc401c _Fputc 16620->16606 16622 dc89ae 16621->16622 16623 dc89a1 16621->16623 16625 dbad6d __strnicoll 14 API calls 16622->16625 16627 dc89ba 16622->16627 16624 dbad6d __strnicoll 14 API calls 16623->16624 16626 dc89a6 16624->16626 16628 dc89db 16625->16628 16626->16581 16627->16581 16629 dbb458 __strnicoll 29 API calls 16628->16629 16629->16626 16655 dc67bd 16630->16655 16632 dbe57f __strnicoll MultiByteToWideChar 16634 dc677a 16632->16634 16637 dc6783 GetLastError 16634->16637 16640 dc66ae 16634->16640 16635 dc6708 16641 dc3ff3 __fread_nolock 31 API calls 16635->16641 16642 dc66c2 16635->16642 16636 dc66f8 16638 dbad6d __strnicoll 14 API calls 16636->16638 16639 dbad93 __dosmaperr 14 API calls 16637->16639 16638->16640 16639->16640 16640->16613 16641->16642 16642->16632 16644 dc6944 16643->16644 16645 dc69da ReadFile 16644->16645 16646 dc69d5 16644->16646 16645->16646 16647 dc69f7 16645->16647 16646->16613 16647->16646 16648 dc3ff3 __fread_nolock 31 API calls 16647->16648 16648->16646 16650 dc4cb0 __fread_nolock 29 API calls 16649->16650 16651 dc41a6 16650->16651 16652 dc41c2 SetFilePointerEx 16651->16652 16653 dc41ae __fread_nolock 16651->16653 16652->16653 16654 dc41da GetLastError 16652->16654 16653->16620 16654->16653 16656 dc67f1 16655->16656 16657 dc6862 ReadFile 16656->16657 16658 dc667d 16656->16658 16657->16658 16659 dc687b 16657->16659 16658->16635 16658->16636 16658->16640 16658->16642 16659->16658 16660 dc3ff3 __fread_nolock 31 API calls 16659->16660 16660->16658 16661->16616 16662->16493 16664 db4793 16663->16664 16665 db4703 16663->16665 16666 db1860 std::ios_base::_Init 31 API calls 16664->16666 16670 db47f6 16665->16670 16667 db4798 16666->16667 16669 db4720 _Yarn _Deallocate 16669->16463 16671 db4802 16670->16671 16672 db4800 16670->16672 16673 db480a 16671->16673 16674 db4811 16671->16674 16672->16669 16676 db186a std::ios_base::_Init 31 API calls 16673->16676 16675 db2952 std::ios_base::_Init 16 API calls 16674->16675 16677 db480f 16675->16677 16676->16677 16677->16669 16678->16474 16680 dbcfd2 16679->16680 16687 dbd042 16679->16687 16681 dc0efc __fread_nolock 29 API calls 16680->16681 16684 dbcfd8 16681->16684 16682 dc7d00 __fread_nolock 14 API calls 16685 dbcf87 16682->16685 16683 dbd02a 16686 dbad6d __strnicoll 14 API calls 16683->16686 16684->16683 16684->16687 16690 dbcfb2 16685->16690 16688 dbd02f 16686->16688 16687->16682 16687->16685 16689 dbb458 __strnicoll 29 API calls 16688->16689 16689->16685 16693 db8773 LeaveCriticalSection 16690->16693 16692 dbcfb8 16692->16477 16693->16692 16848 db422c 16849 db424e 16848->16849 16853 db4263 16848->16853 16854 db43df 16849->16854 16857 db43f9 16854->16857 16859 db4448 16854->16859 16855 db29c6 CatchGuardHandler 5 API calls 16856 db4253 16855->16856 16856->16853 16860 dbc53d 16856->16860 16858 dbc578 69 API calls 16857->16858 16857->16859 16858->16859 16859->16855 16861 dbc548 16860->16861 16862 dbc55d 16860->16862 16863 dbad6d __strnicoll 14 API calls 16861->16863 16862->16861 16864 dbc564 16862->16864 16865 dbc54d 16863->16865 16870 dbae1d 16864->16870 16867 dbb458 __strnicoll 29 API calls 16865->16867 16869 dbc558 16867->16869 16868 dbc573 16868->16853 16869->16853 16871 dbae30 _Fputc 16870->16871 16874 dbb096 16871->16874 16873 dbae45 _Fputc 16873->16868 16876 dbb0a2 ___scrt_is_nonwritable_in_current_image 16874->16876 16875 dbb0a8 16877 dbb601 _Fputc 29 API calls 16875->16877 16876->16875 16878 dbb0eb 16876->16878 16879 dbb0c3 16877->16879 16885 db875f EnterCriticalSection 16878->16885 16879->16873 16881 dbb0f7 16886 dbafaa 16881->16886 16883 dbb10d 16897 dbb136 16883->16897 16885->16881 16887 dbafbd 16886->16887 16888 dbafd0 16886->16888 16887->16883 16900 dbaed1 16888->16900 16890 dbb081 16890->16883 16891 dbaff3 16891->16890 16892 dbb00e 16891->16892 16904 dc424d 16891->16904 16894 dbbc27 ___scrt_uninitialize_crt 64 API calls 16892->16894 16895 dbb021 16894->16895 16918 dc4033 16895->16918 16959 db8773 LeaveCriticalSection 16897->16959 16899 dbb13e 16899->16879 16901 dbaf3a 16900->16901 16902 dbaee2 16900->16902 16901->16891 16902->16901 16903 dc3ff3 __fread_nolock 31 API calls 16902->16903 16903->16901 16905 dc461f 16904->16905 16906 dc462e 16905->16906 16907 dc4656 16905->16907 16909 dbb601 _Fputc 29 API calls 16906->16909 16908 dc0efc __fread_nolock 29 API calls 16907->16908 16910 dc465f 16908->16910 16915 dc4649 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16909->16915 16921 dc4051 16910->16921 16913 dc4709 16924 dc42a9 16913->16924 16915->16892 16916 dc4720 16916->16915 16936 dc4454 16916->16936 16919 dc4194 __fread_nolock 31 API calls 16918->16919 16920 dc404c 16919->16920 16920->16890 16943 dc406f 16921->16943 16925 dc42b8 _Fputc 16924->16925 16926 dc0efc __fread_nolock 29 API calls 16925->16926 16928 dc42d4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16926->16928 16927 db29c6 CatchGuardHandler 5 API calls 16929 dc4452 16927->16929 16930 dc4051 33 API calls 16928->16930 16935 dc42e0 16928->16935 16929->16915 16931 dc4334 16930->16931 16932 dc4366 ReadFile 16931->16932 16931->16935 16933 dc438d 16932->16933 16932->16935 16934 dc4051 33 API calls 16933->16934 16934->16935 16935->16927 16937 dc0efc __fread_nolock 29 API calls 16936->16937 16938 dc4467 16937->16938 16939 dc4051 33 API calls 16938->16939 16941 dc44b1 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16938->16941 16940 dc450e 16939->16940 16940->16941 16942 dc4051 33 API calls 16940->16942 16941->16915 16942->16941 16944 dc407b ___scrt_is_nonwritable_in_current_image 16943->16944 16945 dc40be 16944->16945 16947 dc4104 16944->16947 16953 dc406a 16944->16953 16946 dbb601 _Fputc 29 API calls 16945->16946 16946->16953 16954 dc4ef9 EnterCriticalSection 16947->16954 16949 dc410a 16950 dc412b 16949->16950 16951 dc4194 __fread_nolock 31 API calls 16949->16951 16955 dc418c 16950->16955 16951->16950 16953->16913 16953->16915 16953->16916 16954->16949 16958 dc4f1c LeaveCriticalSection 16955->16958 16957 dc4192 16957->16953 16958->16957 16959->16899

                                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                                        Function 00DD519E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00DD5110,00DD5100), ref: 00DD5334
                                                                                                                                                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00DD5347
                                                                                                                                                                                                                                                                        • Wow64GetThreadContext.KERNEL32(0000008C,00000000), ref: 00DD5365
                                                                                                                                                                                                                                                                        • ReadProcessMemory.KERNELBASE(00000088,?,00DD5154,00000004,00000000), ref: 00DD5389
                                                                                                                                                                                                                                                                        • VirtualAllocEx.KERNELBASE(00000088,?,?,00003000,00000040), ref: 00DD53B4
                                                                                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(00000088,00000000,?,?,00000000,?), ref: 00DD540C
                                                                                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(00000088,00400000,?,?,00000000,?,00000028), ref: 00DD5457
                                                                                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(00000088,?,?,00000004,00000000), ref: 00DD5495
                                                                                                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(0000008C,003F0000), ref: 00DD54D1
                                                                                                                                                                                                                                                                        • ResumeThread.KERNELBASE(0000008C), ref: 00DD54E0
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                                                                                                                                                                                        • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                                                                                                                                                                                        • API String ID: 2687962208-3857624555
                                                                                                                                                                                                                                                                        • Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                                        • Instruction ID: 989f8274f969cee446b61acf6b97c31d75e6792b0fdf7342065cb2899501485a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3B1087260064AAFDB60CF68CC80BDA77A5FF88714F158125EA0CAB345D774FA51CBA4
                                                                                                                                                                                                                                                                        Function 00DB1614 Relevance: 9.2, APIs: 6, Instructions: 171fileCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DB1098: _strlen.LIBCMT ref: 00DB10F9
                                                                                                                                                                                                                                                                        • CreateFileA.KERNELBASE ref: 00DB1675
                                                                                                                                                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00DB1685
                                                                                                                                                                                                                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00DB16AB
                                                                                                                                                                                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 00DB16BA
                                                                                                                                                                                                                                                                        • _strlen.LIBCMT ref: 00DB1705
                                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00DB1805
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: File$CloseHandle_strlen$CreateReadSize
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2911764282-0
                                                                                                                                                                                                                                                                        • Opcode ID: ecd77fdec98e806e79b2d5a23cf12da153b46498937b30fc16d4efbb0cc497db
                                                                                                                                                                                                                                                                        • Instruction ID: 25ee9cabc4909cd4d7462a28ecc503710f4588eebcf6730eec83f7f8a11fa02c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ecd77fdec98e806e79b2d5a23cf12da153b46498937b30fc16d4efbb0cc497db
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B951D0B9904341EBC700AF24DC94BAAB7E5FF88314F55492DF48A97351EB34D9448B72
                                                                                                                                                                                                                                                                        Function 00DB123B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 80 db123b-db1261 81 db1263-db127c 80->81 81->81 82 db127e-db1280 81->82 83 db1282-db12ac 82->83 83->83 84 db12ae-db12b6 83->84 85 db12bc-db12c0 84->85 86 db1355-db136d call db29c6 84->86 88 db12c2-db12df 85->88 91 db12fc-db134f 88->91 92 db12e1-db12eb call db136e 88->92 91->86 91->88 94 db12f0-db12f9 call db1533 92->94 94->91
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • KiUserExceptionDispatcher.NTDLL(00000000,00000000,00000000), ref: 00DB12C7
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                        • String ID: [+]$Fu
                                                                                                                                                                                                                                                                        • API String ID: 6842923-1661062833
                                                                                                                                                                                                                                                                        • Opcode ID: 63d5d7766d456f74efc0ed4d31695b54ed26ffe97f06354c315fadfe967f7afc
                                                                                                                                                                                                                                                                        • Instruction ID: 3155e51bb10628b413caf91abaad1bb3dbc6a9f5246e3d022a10b759eff89bf0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63d5d7766d456f74efc0ed4d31695b54ed26ffe97f06354c315fadfe967f7afc
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E31F73550D3808FD726AB3868997EBBBD4ABAD318F18097DD8CA87343D1615445CB72
                                                                                                                                                                                                                                                                        Function 00DB155C Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DB1098: _strlen.LIBCMT ref: 00DB10F9
                                                                                                                                                                                                                                                                        • FreeConsole.KERNELBASE ref: 00DB158B
                                                                                                                                                                                                                                                                          • Part of subcall function 00DB123B: KiUserExceptionDispatcher.NTDLL(00000000,00000000,00000000), ref: 00DB12C7
                                                                                                                                                                                                                                                                        • VirtualProtect.KERNELBASE(00DD5011,00000549,00000040,?), ref: 00DB15D7
                                                                                                                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 00DB160E
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ConsoleDispatcherExceptionExitFreeProcessProtectUserVirtual_strlen
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2898289550-0
                                                                                                                                                                                                                                                                        • Opcode ID: c3956d0c0d22169b104495fc41331b2ebbe5f9df250afdae606e43a05677e355
                                                                                                                                                                                                                                                                        • Instruction ID: a42f1d1b7395e8f56a8ee6db7e38b5e9eb21c72d6b496c8e108e778e709ff21a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3956d0c0d22169b104495fc41331b2ebbe5f9df250afdae606e43a05677e355
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C119471A01209ABEB00ABA5EC52FFF7768EB84700F504026F609E7385E67599154AF5
                                                                                                                                                                                                                                                                        Function 00DC5283 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 111 dc5283-dc52a5 112 dc5498 111->112 113 dc52ab-dc52ad 111->113 116 dc549a-dc549e 112->116 114 dc52af-dc52ce call dbb601 113->114 115 dc52d9-dc52fc 113->115 122 dc52d1-dc52d4 114->122 118 dc52fe-dc5300 115->118 119 dc5302-dc5308 115->119 118->119 121 dc530a-dc531b 118->121 119->114 119->121 123 dc531d-dc532b call dc4033 121->123 124 dc532e-dc533e call dc55b0 121->124 122->116 123->124 129 dc5387-dc5399 124->129 130 dc5340-dc5346 124->130 133 dc539b-dc53a1 129->133 134 dc53f0-dc5410 WriteFile 129->134 131 dc536f-dc5385 call dc562d 130->131 132 dc5348-dc534b 130->132 152 dc5368-dc536a 131->152 135 dc534d-dc5350 132->135 136 dc5356-dc5365 call dc59f4 132->136 140 dc53dc-dc53e9 call dc5a5c 133->140 141 dc53a3-dc53a6 133->141 138 dc541b 134->138 139 dc5412-dc5418 GetLastError 134->139 135->136 142 dc5430-dc5433 135->142 136->152 146 dc541e-dc5429 138->146 139->138 151 dc53ee 140->151 147 dc53c8-dc53da call dc5c20 141->147 148 dc53a8-dc53ab 141->148 155 dc5436-dc5438 142->155 153 dc542b-dc542e 146->153 154 dc5493-dc5496 146->154 158 dc53c3-dc53c6 147->158 148->155 156 dc53b1-dc53be call dc5b37 148->156 151->158 152->146 153->142 154->116 159 dc543a-dc543f 155->159 160 dc5466-dc5472 155->160 156->158 158->152 164 dc5458-dc5461 call dbadf9 159->164 165 dc5441-dc5453 159->165 162 dc547c-dc548e 160->162 163 dc5474-dc547a 160->163 162->122 163->112 163->162 164->122 165->122
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DC562D: GetConsoleOutputCP.KERNEL32(BD993700,00000000,00000000,?), ref: 00DC5690
                                                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00DBBBF3,?), ref: 00DC5408
                                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,00DBBBF3,?,00DBBE37,00000000,?,00000000,00DBBE37,?,?,?,00DD4628,0000002C,00DBBD23,?), ref: 00DC5412
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2915228174-0
                                                                                                                                                                                                                                                                        • Opcode ID: 8baceb3d7d2d00a82c2f91a3eb1c5e03974911289375b17ca624f2429d510e71
                                                                                                                                                                                                                                                                        • Instruction ID: 2dec4949b190fdff822976449f2c34ba8244e507484fb5790c0ae46c2d926830
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8baceb3d7d2d00a82c2f91a3eb1c5e03974911289375b17ca624f2429d510e71
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5661A371D0464AAFDF158FA8E844FAEBBB9EF59304F18015DE800A7219D771E985CB70
                                                                                                                                                                                                                                                                        Function 00DC5A5C Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 168 dc5a5c-dc5ab1 call db56e0 171 dc5b26-dc5b36 call db29c6 168->171 172 dc5ab3 168->172 173 dc5ab9 172->173 176 dc5abf-dc5ac1 173->176 177 dc5adb-dc5b00 WriteFile 176->177 178 dc5ac3-dc5ac8 176->178 181 dc5b1e-dc5b24 GetLastError 177->181 182 dc5b02-dc5b0d 177->182 179 dc5aca-dc5ad0 178->179 180 dc5ad1-dc5ad9 178->180 179->180 180->176 180->177 181->171 182->171 183 dc5b0f-dc5b1a 182->183 183->173 184 dc5b1c 183->184 184->171
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00DC53EE,00000000,00DBBE37,?,00000000,?,00000000), ref: 00DC5AF8
                                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00DC53EE,00000000,00DBBE37,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00DBBBF3), ref: 00DC5B1E
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 442123175-0
                                                                                                                                                                                                                                                                        • Opcode ID: a55872772f84e0544c3ff17202ffa7c442c99ef9cc2f673c7ca0a25134ffdc44
                                                                                                                                                                                                                                                                        • Instruction ID: 21c364b0c1455108b6090143bb8190e3ae5c6983b1eee64c04289c49c911cb5b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a55872772f84e0544c3ff17202ffa7c442c99ef9cc2f673c7ca0a25134ffdc44
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC217331A0161A9BCF15CF29ED80AE9B7F9EB48301F1441ADE906D7215D630EE828B71
                                                                                                                                                                                                                                                                        Function 00DBFF89 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 185 dbff89-dbff8e 186 dbff90-dbffa8 185->186 187 dbffaa-dbffae 186->187 188 dbffb6-dbffbf 186->188 187->188 189 dbffb0-dbffb4 187->189 190 dbffd1 188->190 191 dbffc1-dbffc4 188->191 195 dc002b-dc002f 189->195 194 dbffd3-dbffe0 GetStdHandle 190->194 192 dbffcd-dbffcf 191->192 193 dbffc6-dbffcb 191->193 192->194 193->194 196 dc000d-dc001f 194->196 197 dbffe2-dbffe4 194->197 195->186 198 dc0035-dc0038 195->198 196->195 200 dc0021-dc0024 196->200 197->196 199 dbffe6-dbffef GetFileType 197->199 199->196 201 dbfff1-dbfffa 199->201 200->195 202 dbfffc-dc0000 201->202 203 dc0002-dc0005 201->203 202->195 203->195 204 dc0007-dc000b 203->204 204->195
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,00DBFE78,00DD4948), ref: 00DBFFD5
                                                                                                                                                                                                                                                                        • GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00DBFE78,00DD4948), ref: 00DBFFE7
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: FileHandleType
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3000768030-0
                                                                                                                                                                                                                                                                        • Opcode ID: 084b8d4df701efcd547b4bac1844b6f40159468312f0036c1b96adf897746859
                                                                                                                                                                                                                                                                        • Instruction ID: 8c56633d8929d8eb9f0fc1ba8184ae05deb26fcf7e285c75fe0dc00a6ade88dd
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 084b8d4df701efcd547b4bac1844b6f40159468312f0036c1b96adf897746859
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D119061504752CACB314B3E9C88B22AE95AB56334B39076ED1B7C76F1C220D94AE661
                                                                                                                                                                                                                                                                        Function 00DB136E Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 205 db136e-db13b1 call dbce80 call db197e 210 db14c9-db14ce 205->210 211 db13b7-db13fa 205->211 212 db14f0-db1532 call db1ab6 call db1a10 call db29c6 210->212 213 db144e-db1463 call db408b 211->213 214 db13fc-db1404 211->214 219 db1466-db147b 213->219 214->213 216 db1406-db1409 214->216 217 db140d-db1425 call db19d8 216->217 228 db142b-db1442 217->228 229 db14d0-db14d5 217->229 222 db147d-db1485 219->222 223 db14c0-db14c7 219->223 222->223 226 db1487-db1489 222->226 227 db14e0-db14ec 223->227 231 db148a-db14a5 call db19d8 226->231 227->212 228->217 232 db1444-db144c 228->232 229->227 236 db14d7-db14dc 231->236 237 db14a7-db14be 231->237 232->213 236->227 237->223 237->231
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: _strlen
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 4218353326-0
                                                                                                                                                                                                                                                                        • Opcode ID: 1cb237f3d7314e7b96f666be92bdbf94c6fcfdcc6d43510c1f2f5519903a0b0c
                                                                                                                                                                                                                                                                        • Instruction ID: 379cd5076086b35bed8086860b57f1585a3a6a3b880d53867d52ae9ac75506ce
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1cb237f3d7314e7b96f666be92bdbf94c6fcfdcc6d43510c1f2f5519903a0b0c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0751B3353042048FCB14DF6DC994BAA77D2EF88724F59866CE96ACB392D630ED05CB51
                                                                                                                                                                                                                                                                        Function 00DB3C29 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 239 db3c29-db3c43 240 db3c4c-db3c54 239->240 241 db3c45-db3c47 239->241 242 db3c56-db3c60 240->242 243 db3c75-db3c79 240->243 244 db3d25-db3d32 call db29c6 241->244 242->243 249 db3c62-db3c73 242->249 246 db3c7f-db3c90 call db44b9 243->246 247 db3d21 243->247 255 db3c98-db3ccc 246->255 256 db3c92-db3c96 246->256 251 db3d24 247->251 253 db3cee-db3cf0 249->253 251->244 253->251 262 db3cce-db3cd1 255->262 263 db3cf2-db3cfa 255->263 257 db3cdf call db35da 256->257 261 db3ce4-db3ceb 257->261 261->253 262->263 266 db3cd3-db3cd7 262->266 264 db3d0f-db3d1f 263->264 265 db3cfc-db3d0d call dbc578 263->265 264->251 265->247 265->264 266->247 268 db3cd9-db3cdc 266->268 268->257
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: d7d72757c92f56f0b9b35fbe6eba995933e106e11896f144e4702ec0962b02eb
                                                                                                                                                                                                                                                                        • Instruction ID: 123fd7a80e906e523fda0d0ce734257f17d237dbe9790152c1df0e073bde7a66
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7d72757c92f56f0b9b35fbe6eba995933e106e11896f144e4702ec0962b02eb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9431537290011AEFCB15CFA8D8909EDBBF9BF09320B14426AE512E7690D721EA44DB70
                                                                                                                                                                                                                                                                        Function 00DB3C1B Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 270 db3c1b-db3c20 271 db3c6e-db3c74 270->271 272 db3c22-db3c28 call db8773 270->272 273 db3bf9-db3c08 271->273 274 db3c76 271->274 276 db3c78-db3c80 274->276 277 db3cc4-db3ccc 274->277 280 db3cce-db3cd1 277->280 281 db3cf2-db3cfa 277->281 280->281 284 db3cd3-db3cd7 280->284 282 db3d0f-db3d1f 281->282 283 db3cfc-db3d0d call dbc578 281->283 286 db3d24-db3d32 call db29c6 282->286 283->282 288 db3d21 283->288 287 db3cd9-db3cdf call db35da 284->287 284->288 294 db3ce4-db3cf0 287->294 288->286 294->286
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CriticalLeaveSection
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3988221542-0
                                                                                                                                                                                                                                                                        • Opcode ID: fec4bb194830cd689b46542882853077a7af26bdabcbd5335f8023a737dc79f7
                                                                                                                                                                                                                                                                        • Instruction ID: 924a6e2be7b9716e9ab0ab6464c54aee3fe4f7224773eee76eeace3312ff76ac
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fec4bb194830cd689b46542882853077a7af26bdabcbd5335f8023a737dc79f7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C012636A08216DBCB158BB8E9653E8BF60FF85334F24415FD003994D0CB225514E270
                                                                                                                                                                                                                                                                        Function 00DBE531 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                                        control_flow_graph 297 dbe531-dbe53d 298 dbe56f-dbe57a call dbad6d 297->298 299 dbe53f-dbe541 297->299 307 dbe57c-dbe57e 298->307 300 dbe55a-dbe56b RtlAllocateHeap 299->300 301 dbe543-dbe544 299->301 303 dbe56d 300->303 304 dbe546-dbe54d call dbb92d 300->304 301->300 303->307 304->298 309 dbe54f-dbe558 call db8f08 304->309 309->298 309->300
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00DB31E1,00DB186A,?,00DB60C1,00DB186C,00DB186A,?,?,?,00DB3181,00DB31E1,00DB186E,00DB186A,00DB186A,00DB186A), ref: 00DBE563
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                        • Opcode ID: 2a6853fcae5ac9fbd5bd1b5432b49db405971efac4021539f5f71bbf858d59ea
                                                                                                                                                                                                                                                                        • Instruction ID: e508e04338c73679d1e2c698f013e37175f89a6955838c6e5b1d61620704242e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a6853fcae5ac9fbd5bd1b5432b49db405971efac4021539f5f71bbf858d59ea
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0E0E531901220DADA306B69AC00BDE37CCDF017B4F180112AC4797191FB60CD0095F1

                                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                                        Function 00DC3178 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,00DC2B49,00000002,00000000,?,?,?,00DC2B49,?,00000000), ref: 00DC3211
                                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,00DC2B49,00000002,00000000,?,?,?,00DC2B49,?,00000000), ref: 00DC323A
                                                                                                                                                                                                                                                                        • GetACP.KERNEL32(?,?,00DC2B49,?,00000000), ref: 00DC324F
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: InfoLocale
                                                                                                                                                                                                                                                                        • String ID: ACP$OCP
                                                                                                                                                                                                                                                                        • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                                        • Opcode ID: 8dbbbb3b2e038ed1d8f17d11c5b820f0e22715732dd243bc7b09294c22c66485
                                                                                                                                                                                                                                                                        • Instruction ID: 3a53d547c55bc8fc7dd16cda30af1ef7fecc70945c4173328e40739b792996e2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8dbbbb3b2e038ed1d8f17d11c5b820f0e22715732dd243bc7b09294c22c66485
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7219D32600202AADF358F94D805FA7B3A6EB54B64B6EC42DE90AD7210E732DF41D774
                                                                                                                                                                                                                                                                        Function 00DC2A13 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: GetLastError.KERNEL32(00000000,?,00DC0AB9), ref: 00DBE787
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: SetLastError.KERNEL32(00000000,?,?,00000028,00DBB9D2), ref: 00DBE829
                                                                                                                                                                                                                                                                        • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00DC2B1B
                                                                                                                                                                                                                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 00DC2B59
                                                                                                                                                                                                                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00DC2B6C
                                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00DC2BB4
                                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00DC2BCF
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 415426439-0
                                                                                                                                                                                                                                                                        • Opcode ID: c4a488c60f179e49d33dfc581452bd326c9478c9e4bb4d27f67c2659547cb94e
                                                                                                                                                                                                                                                                        • Instruction ID: 583216830c71cdf071b0cf2be81785a463e6a3377424a06b301a484805067c3c
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4a488c60f179e49d33dfc581452bd326c9478c9e4bb4d27f67c2659547cb94e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 78515B71A00217ABDB21DFA4CC81FBA77B9EF14700F18406DA511E7190EBB09E059B71
                                                                                                                                                                                                                                                                        Function 00DC375A Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DC384A
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: FileFindFirst
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1974802433-0
                                                                                                                                                                                                                                                                        • Opcode ID: 0aec8e12db7ba79095a85bbe9ed6f52a16a8db2399c820baaed11f6e188589e2
                                                                                                                                                                                                                                                                        • Instruction ID: 368a4cc7949c9a3789d97f5852ef1c4f541841ab55423dc898e09ba88f72c36a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0aec8e12db7ba79095a85bbe9ed6f52a16a8db2399c820baaed11f6e188589e2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4571B4B190515AAFDF209F288C9DFEAB7B9EB05300F1881DEE04993251DA318F858F70
                                                                                                                                                                                                                                                                        Function 00DB5020 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00DB502C
                                                                                                                                                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 00DB50F8
                                                                                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DB5111
                                                                                                                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00DB511B
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 254469556-0
                                                                                                                                                                                                                                                                        • Opcode ID: 986fd9c09493c3855a18c955700eff43c373ed137c0663473ec351f6992fe0db
                                                                                                                                                                                                                                                                        • Instruction ID: 0b3af012090c47a897cf368c084169c414fcf0d0813006ad5130efd49969daa5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 986fd9c09493c3855a18c955700eff43c373ed137c0663473ec351f6992fe0db
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C131F975D05328DBDB20EF64D949BCDBBB8AF08300F1041AAE40DAB250EB719B858F55
                                                                                                                                                                                                                                                                        Function 00DC2CFF Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: GetLastError.KERNEL32(00000000,?,00DC0AB9), ref: 00DBE787
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: SetLastError.KERNEL32(00000000,?,?,00000028,00DBB9D2), ref: 00DBE829
                                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DC2D53
                                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DC2D9D
                                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DC2E63
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 661929714-0
                                                                                                                                                                                                                                                                        • Opcode ID: 32c8dd00613d40a51070ac0e14e38c502369bac2b52e75fc668603cd0ec92e08
                                                                                                                                                                                                                                                                        • Instruction ID: fa4d3258d833c2689e8e887bde834da71252d398e1d83c438b2452d592174e26
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32c8dd00613d40a51070ac0e14e38c502369bac2b52e75fc668603cd0ec92e08
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D9616E71911207DBDB289F29CC82FBAB7A8EF14311F1441AEE905D7285EB74DA81DB70
                                                                                                                                                                                                                                                                        Function 00DBB4B9 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00DB31E1), ref: 00DBB5B1
                                                                                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00DB31E1), ref: 00DBB5BB
                                                                                                                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(00DB1542,?,?,?,?,?,00DB31E1), ref: 00DBB5C8
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3906539128-0
                                                                                                                                                                                                                                                                        • Opcode ID: 3826d0eb2d5990eb5cf7fb96ba9a5b367b43adcc5f96b67fabae3cf42dd05205
                                                                                                                                                                                                                                                                        • Instruction ID: 79a46b26cae0b0478f326e7416e26904915ef28d8bf0f64233229fa1a26e1016
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3826d0eb2d5990eb5cf7fb96ba9a5b367b43adcc5f96b67fabae3cf42dd05205
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A031B374901228EBCB21DF28DD897DCBBB8BF48310F5041EAE41DA7251EB709B858F65
                                                                                                                                                                                                                                                                        Function 00DC36A9 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBF807: HeapAlloc.KERNEL32(00000008,?,00DB31E1,?,00DBE921,00000001,00000364,00DB31E1,00000003,000000FF,?,00DB60C1,00DB186C,00DB186A,?,?), ref: 00DBF848
                                                                                                                                                                                                                                                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DC384A
                                                                                                                                                                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00DC393E
                                                                                                                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00DC397D
                                                                                                                                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 00DC39B0
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Find$CloseFile$AllocFirstHeapNext
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2701053895-0
                                                                                                                                                                                                                                                                        • Opcode ID: 44af67e3d8aed02a46c55d62d97b1fcb3a62741dd04dc71502828b9928ffa0a2
                                                                                                                                                                                                                                                                        • Instruction ID: 757671fe492514a1cc85d585e139513c6dea1af22e11e0152fb7eab83d6fb502
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44af67e3d8aed02a46c55d62d97b1fcb3a62741dd04dc71502828b9928ffa0a2
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F65158B590011AAFDF149F689C89FFEB7A9DF85314F28819EF44993241EA309E419B70
                                                                                                                                                                                                                                                                        Function 00DC2FB1 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: GetLastError.KERNEL32(00000000,?,00DC0AB9), ref: 00DBE787
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: SetLastError.KERNEL32(00000000,?,?,00000028,00DBB9D2), ref: 00DBE829
                                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DC3005
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                        • Opcode ID: 52a08c3a4f760abc765ae0d6af6650784807de5a106f9b9314af3698afb645b6
                                                                                                                                                                                                                                                                        • Instruction ID: 6d4215f57c8b13578bc7f4263f28d398a770e949715e88c220acc5f024ace2b2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 52a08c3a4f760abc765ae0d6af6650784807de5a106f9b9314af3698afb645b6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3821AF72601207ABDF289E69DC42FBA73A8EB04301B14806EFD02C7145EB34DE009A70
                                                                                                                                                                                                                                                                        Function 00DC30D1 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: GetLastError.KERNEL32(00000000,?,00DC0AB9), ref: 00DBE787
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: SetLastError.KERNEL32(00000000,?,?,00000028,00DBB9D2), ref: 00DBE829
                                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DC3125
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                        • Opcode ID: 5a52e772106af88d66f246d349c0b580858fdba66dfcea37adcdeac0551d8e9e
                                                                                                                                                                                                                                                                        • Instruction ID: 5922781f50a9ced975e0d112632909d43390c068b5062980831414f136192453
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a52e772106af88d66f246d349c0b580858fdba66dfcea37adcdeac0551d8e9e
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B011A032611317ABDB24AB28DC42EBAB7A8EF05311B14416EF506D7240EB74EE009BB0
                                                                                                                                                                                                                                                                        Function 00DC2C64 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: GetLastError.KERNEL32(00000000,?,00DC0AB9), ref: 00DBE787
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: SetLastError.KERNEL32(00000000,?,?,00000028,00DBB9D2), ref: 00DBE829
                                                                                                                                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(00DC2CFF,00000001,00000000,?,-00000050,?,00DC2AEF,00000000,-00000002,00000000,?,00000055,?), ref: 00DC2CD6
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                        • Opcode ID: b153968a36d65c008213afb4c6cdfbd889c476611f84f4844399d1a033daaca6
                                                                                                                                                                                                                                                                        • Instruction ID: 09a1a13a987d906e5f729cb300eb67c23f0941b3af2fbe5365f578c4373644c9
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b153968a36d65c008213afb4c6cdfbd889c476611f84f4844399d1a033daaca6
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5511E93B2007065FDB18AF39C991BBABB92FF80759B18442DE94787B40D771A943DB60
                                                                                                                                                                                                                                                                        Function 00DC327E Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: GetLastError.KERNEL32(00000000,?,00DC0AB9), ref: 00DBE787
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: SetLastError.KERNEL32(00000000,?,?,00000028,00DBB9D2), ref: 00DBE829
                                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00DC2F1B,00000000,00000000,?), ref: 00DC32AA
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3736152602-0
                                                                                                                                                                                                                                                                        • Opcode ID: b7eb78c836b2cbacb4ae6a4e547e577ed30601892c77e22130a6858a9347d156
                                                                                                                                                                                                                                                                        • Instruction ID: e1f1ddb454c119b584961613c194c6e1f64342e39ea157286557a9174a901777
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7eb78c836b2cbacb4ae6a4e547e577ed30601892c77e22130a6858a9347d156
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7601D632600113BBDF285A25C806FBABB54DB40755F19852DEC52A3180EA71EF41CBB8
                                                                                                                                                                                                                                                                        Function 00DC2F52 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: GetLastError.KERNEL32(00000000,?,00DC0AB9), ref: 00DBE787
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: SetLastError.KERNEL32(00000000,?,?,00000028,00DBB9D2), ref: 00DBE829
                                                                                                                                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(00DC2FB1,00000001,?,?,-00000050,?,00DC2AB7,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00DC2F9C
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                        • Opcode ID: df956689705fe333d7c7c292e90ec30e1b2118dea73eff116aa0c3a4c21f1087
                                                                                                                                                                                                                                                                        • Instruction ID: 5dd3c7ec35b4aa07a2438424208f563f71cabc7cd2fd3c9b46e4e56ba03d5fc0
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df956689705fe333d7c7c292e90ec30e1b2118dea73eff116aa0c3a4c21f1087
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5CF0F6362003095FDB146F3A9C95F7A7BA1EF80768B19842DF9458B680C7B19C42CA70
                                                                                                                                                                                                                                                                        Function 00DBF717 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBB750: EnterCriticalSection.KERNEL32(-00023A67,?,00DB8F5A,00000000,00DD44D8,0000000C,00DB8F13,?,?,00DBF83A,?,?,00DBE921,00000001,00000364,00DB31E1), ref: 00DBB75F
                                                                                                                                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(00DBF70A,00000001,00DD4928,0000000C,00DBF118,-00000050), ref: 00DBF74F
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1272433827-0
                                                                                                                                                                                                                                                                        • Opcode ID: 365f886cb43f344eba8e9398402576c0cfe783fc1a7408a4c418f84749cf1135
                                                                                                                                                                                                                                                                        • Instruction ID: 2af95ad0a93a4acd4b8c809261d010d2296437de3914abd8f3c75d86810ca700
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 365f886cb43f344eba8e9398402576c0cfe783fc1a7408a4c418f84749cf1135
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2EF0E776A05704EFD700DFA9E842B9D77B0EB48762F10416AE416DB3A0CBB99905CFA0
                                                                                                                                                                                                                                                                        Function 00DC3086 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: GetLastError.KERNEL32(00000000,?,00DC0AB9), ref: 00DBE787
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: SetLastError.KERNEL32(00000000,?,?,00000028,00DBB9D2), ref: 00DBE829
                                                                                                                                                                                                                                                                        • EnumSystemLocalesW.KERNEL32(00DC30D1,00000001,?,?,?,00DC2B11,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00DC30BD
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2417226690-0
                                                                                                                                                                                                                                                                        • Opcode ID: 936c01cb522340189f4d24516d428b4fe3ca5a3ab3fbc8e1c748c0e77973f5f9
                                                                                                                                                                                                                                                                        • Instruction ID: 78b03afcd45ab8b61c77ee617852d9b35268d0a8ac179af3c52224b5d87e2a43
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 936c01cb522340189f4d24516d428b4fe3ca5a3ab3fbc8e1c748c0e77973f5f9
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BDF0EC3670030657CB04AF39D855B667F94EFC1711B0A405DEA058B251C6719942D7B0
                                                                                                                                                                                                                                                                        Function 00DBF21C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00DBA4BC,?,20001004,00000000,00000002,?,?,00DB93CE), ref: 00DBF250
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: InfoLocale
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2299586839-0
                                                                                                                                                                                                                                                                        • Opcode ID: 7fcc9515a24d33bd73e9d6e7f2f75af8f4701076d439462de35a021810f8e0a0
                                                                                                                                                                                                                                                                        • Instruction ID: 36db403253d2df53f7cdd576005d0e87feda1304ecf8802d8c6dea727bb2e0e2
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7fcc9515a24d33bd73e9d6e7f2f75af8f4701076d439462de35a021810f8e0a0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E1E04F36501218FBCF222F60DC05AEE3F15EF44760F044421FD06A5261CB718920AAB9
                                                                                                                                                                                                                                                                        Function 00DB5014 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00005135), ref: 00DB5019
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                                                                                                                                                        • Opcode ID: 2ac3221a49e2176852ba79738a240d79b8958799344018d4025381894d6f3247
                                                                                                                                                                                                                                                                        • Instruction ID: 3dea38e0ca3255b4c9732f3bc02175bc52dbb6d5eff9c86145a304602bf3bb6d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2ac3221a49e2176852ba79738a240d79b8958799344018d4025381894d6f3247
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                                        Function 00DBFE2C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: HeapProcess
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 54951025-0
                                                                                                                                                                                                                                                                        • Opcode ID: ba4b88ba86a1941daa119402a46b5808a2a226e7b9a311a7b5267382d8afe77c
                                                                                                                                                                                                                                                                        • Instruction ID: 2dd21af22eb7a2c67c9d654b63634ea48d4947409aa38bee6de0df41c4897f01
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba4b88ba86a1941daa119402a46b5808a2a226e7b9a311a7b5267382d8afe77c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1CA01130A033008B83008F3AAE08A083BAAAA00280308802AA000C0220EB20C080AF22
                                                                                                                                                                                                                                                                        Function 00DCA222 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetCPInfo.KERNEL32(00A8FEE0,00A8FEE0,00000000,7FFFFFFF,?,00DCA20D,00A8FEE0,00A8FEE0,00000000,00A8FEE0,?,?,?,?,00A8FEE0,00000000), ref: 00DCA2C8
                                                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00DCA383
                                                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00DCA412
                                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00DCA45D
                                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00DCA463
                                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00DCA499
                                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00DCA49F
                                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00DCA4AF
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 127012223-0
                                                                                                                                                                                                                                                                        • Opcode ID: a7b08a989aa7b72b372c67fb8b5f9e40a30f2282be5e03833895724026de1af7
                                                                                                                                                                                                                                                                        • Instruction ID: 2702fdaddf21470b5cd64612498b0d51a92b832d91f1550bf6a6323950c30c0e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7b08a989aa7b72b372c67fb8b5f9e40a30f2282be5e03833895724026de1af7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6971D23290425FABDF259FA88C55FEE7BBADF45318F28401DE909A7281E675CC008772
                                                                                                                                                                                                                                                                        Function 00DB54C5 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00DB550C
                                                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00DB5538
                                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00DB5577
                                                                                                                                                                                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DB5594
                                                                                                                                                                                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DB55D3
                                                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00DB55F0
                                                                                                                                                                                                                                                                        • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00DB5632
                                                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00DB5655
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2040435927-0
                                                                                                                                                                                                                                                                        • Opcode ID: b05f55bf56390e70d67925f369fb801d38f100505c73025f8ccb0ac3fb6b1594
                                                                                                                                                                                                                                                                        • Instruction ID: 53bc125930b35d2e6b20b20960f8eea10a4e4e1f685283a2743802d49d8659a5
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b05f55bf56390e70d67925f369fb801d38f100505c73025f8ccb0ac3fb6b1594
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25518E72600606EFEF209F64EC45FEA7BA9EB44750F594426FD06D6198DB70CD108BB0
                                                                                                                                                                                                                                                                        Function 00DB61E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00DB6217
                                                                                                                                                                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00DB621F
                                                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00DB62A8
                                                                                                                                                                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00DB62D3
                                                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00DB6328
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                                        • Opcode ID: 87c7164c5d1b05d4c1bf9f2febdf259c4b2597de00af8a2288ab74316d960937
                                                                                                                                                                                                                                                                        • Instruction ID: 01d1ff3be05c3cad0d0fca85a248a3388838cf69f0d47de4da0076aabe1b9e50
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 87c7164c5d1b05d4c1bf9f2febdf259c4b2597de00af8a2288ab74316d960937
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA41A030A00219EFDF10DF68C881AEE7BA5EF45324F188155F8169B352D735DA05CBB5
                                                                                                                                                                                                                                                                        Function 00DBF469 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00DBF578,00DB186A,?,00000000,00DB31E1,00DB186C,?,00DBF1F6,00000022,FlsSetValue,00DCDFE0,00DCDFE8,00DB31E1), ref: 00DBF52A
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                                        • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                                        • Opcode ID: 4d7faa5ae2ff5547fd971c46e616715a6998d9862fd84df5da69f84ebbbde0f0
                                                                                                                                                                                                                                                                        • Instruction ID: 5e5b1c3d525b152b7a37069703d7ad484f7fe839dbac06edfb21bfb1ea8b9309
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d7faa5ae2ff5547fd971c46e616715a6998d9862fd84df5da69f84ebbbde0f0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63219376A02312EBC7319B64EC44A9A77A8DB41764B284135FD47E7391E730EE00C6F1
                                                                                                                                                                                                                                                                        Function 00DC625D Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: a2c8e76a1657df7ec108c05692b6d94a1c0a0a6d010f979de42fe3ef8b90ecde
                                                                                                                                                                                                                                                                        • Instruction ID: f0619c6ad654b2982fa03db7b6a4e76e319a096c05f90d3b5f3d93a233dbe50e
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2c8e76a1657df7ec108c05692b6d94a1c0a0a6d010f979de42fe3ef8b90ecde
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 30B111B0A08246AFDB11DFA8D850FAEBBB5EF49310F28415DE5019B386C770D946CBB1
                                                                                                                                                                                                                                                                        Function 00DBD2C0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,00DBD2B7,00DB5FB7,00DB5179), ref: 00DBD2CE
                                                                                                                                                                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DBD2DC
                                                                                                                                                                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DBD2F5
                                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(00000000,00DBD2B7,00DB5FB7,00DB5179), ref: 00DBD347
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3852720340-0
                                                                                                                                                                                                                                                                        • Opcode ID: 88b5306a686e2b53296bb4f0937267ce398710d2ce9bcc4e48ac0fd569840ac0
                                                                                                                                                                                                                                                                        • Instruction ID: 040d8a042733be1bdebc56bc0f9d1234156786c3d1c0aa9b9796269353b86400
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 88b5306a686e2b53296bb4f0937267ce398710d2ce9bcc4e48ac0fd569840ac0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B401D83220F716DE962517747CD5EAA37C9EB02775728022EF112953E5FF618C046BB1
                                                                                                                                                                                                                                                                        Function 00DBDB88 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • type_info::operator==.LIBVCRUNTIME ref: 00DBDCA7
                                                                                                                                                                                                                                                                        • CallUnexpected.LIBVCRUNTIME ref: 00DBDF20
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CallUnexpectedtype_info::operator==
                                                                                                                                                                                                                                                                        • String ID: csm$csm$csm
                                                                                                                                                                                                                                                                        • API String ID: 2673424686-393685449
                                                                                                                                                                                                                                                                        • Opcode ID: f4ba1dd64ec9a209875a4f24c227421f423d6987623be55cc338c719dd9cd275
                                                                                                                                                                                                                                                                        • Instruction ID: 74d6a2a225f176445695d2787d4a44c8215adf06a696fb497b6d8f66ce17ca2a
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f4ba1dd64ec9a209875a4f24c227421f423d6987623be55cc338c719dd9cd275
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9FB13C71800209EFCF15DFA4C8819EEBBB6FF18310B184559F8526B215E771EA51CBB5
                                                                                                                                                                                                                                                                        Function 00DB8C55 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BD993700,?,?,00000000,00DCB774,000000FF,?,00DB8D16,00DB8BFD,?,00DB8DB2,00000000), ref: 00DB8C8A
                                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DB8C9C
                                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,00DCB774,000000FF,?,00DB8D16,00DB8BFD,?,00DB8DB2,00000000), ref: 00DB8CBE
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                        • Opcode ID: 315142995d6316912097376be83fbe8d13f75b9719acffaadfd2b3569305c785
                                                                                                                                                                                                                                                                        • Instruction ID: 226677a807c95918b71b8f9a5e37b046de03fa3ae53e02d43d7dc0aade804a70
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 315142995d6316912097376be83fbe8d13f75b9719acffaadfd2b3569305c785
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15012C71946B59EFDB118B54DC09BAEBBB8FB44B11F044526E812E23D0DBB49904CEA0
                                                                                                                                                                                                                                                                        Function 00DBFC3D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00DBFCC2
                                                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00DBFD8B
                                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00DBFDF2
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE531: RtlAllocateHeap.NTDLL(00000000,00DB31E1,00DB186A,?,00DB60C1,00DB186C,00DB186A,?,?,?,00DB3181,00DB31E1,00DB186E,00DB186A,00DB186A,00DB186A), ref: 00DBE563
                                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00DBFE05
                                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00DBFE12
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1423051803-0
                                                                                                                                                                                                                                                                        • Opcode ID: 233ef32cdbcc86db93e4c0993efd7a003d911810891e271aaf6586bfbd9d7acb
                                                                                                                                                                                                                                                                        • Instruction ID: dfe2408a7adde3a736985f14b827765958af881559c63ad293cfbeff4a73635d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 233ef32cdbcc86db93e4c0993efd7a003d911810891e271aaf6586bfbd9d7acb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 19518072600246EBDF219F619C82EFB7BA9EF44710B190539FD06DB152EB30DD5096B0
                                                                                                                                                                                                                                                                        Function 00DB3010 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 00DB3017
                                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00DB3022
                                                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00DB3090
                                                                                                                                                                                                                                                                          • Part of subcall function 00DB2EE4: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00DB2EFC
                                                                                                                                                                                                                                                                        • std::locale::_Setgloballocale.LIBCPMT ref: 00DB303D
                                                                                                                                                                                                                                                                        • _Yarn.LIBCPMT ref: 00DB3053
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1088826258-0
                                                                                                                                                                                                                                                                        • Opcode ID: 3403a47c11147325a04df8b2f3ee38cd6c1a79e5421ae4375ee69971b8c3a127
                                                                                                                                                                                                                                                                        • Instruction ID: 270ca573725258a96e2b9d2e0034c8d5e56ac08c558ac973ae8f3f8e3b043066
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3403a47c11147325a04df8b2f3ee38cd6c1a79e5421ae4375ee69971b8c3a127
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 96015AB6A01611DBCB06EF60E855ABD7B61FF84750B14400AE81297381CB34AA42DBF1
                                                                                                                                                                                                                                                                        Function 00DC7E92 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00DC7F2E,00000000,?,00DD6E10,?,?,?,00DC7E65,00000004,InitializeCriticalSectionEx,00DCE57C,00DCE584), ref: 00DC7E9F
                                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00DC7F2E,00000000,?,00DD6E10,?,?,?,00DC7E65,00000004,InitializeCriticalSectionEx,00DCE57C,00DCE584,00000000,?,00DBE1DC), ref: 00DC7EA9
                                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00DC7ED1
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                                        • String ID: api-ms-
                                                                                                                                                                                                                                                                        • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                                        • Opcode ID: 506f8431ebf2c1b6e905a18d71e1e0f77a22125babd1659d6d9ad58ccb63d314
                                                                                                                                                                                                                                                                        • Instruction ID: cedd07736645fadd743a856beb1e0acead7ba086e10bcb204f7d1781c5686397
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 506f8431ebf2c1b6e905a18d71e1e0f77a22125babd1659d6d9ad58ccb63d314
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 88E09A3128430ABAEA201BA0EC06F193F58DB20B50F140021F90DF86E1E7B1DA508AA6
                                                                                                                                                                                                                                                                        Function 00DC562D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetConsoleOutputCP.KERNEL32(BD993700,00000000,00000000,?), ref: 00DC5690
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE641: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00DBFDE8,?,00000000,-00000008), ref: 00DBE6A2
                                                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DC58E2
                                                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00DC5928
                                                                                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00DC59CB
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2112829910-0
                                                                                                                                                                                                                                                                        • Opcode ID: 5c262551f44609393a800d4c717a56923223982a0f9dd76612a3b46ded187fcb
                                                                                                                                                                                                                                                                        • Instruction ID: 97bb0eb8f6ddcb0e0cd7badf87ece334c6cb730601272e22346c2d1951378c03
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c262551f44609393a800d4c717a56923223982a0f9dd76612a3b46ded187fcb
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CED17A75D00649DFCF15CFA8E880AADBBB5EF08310F28456EE456EB355D630A986CF60
                                                                                                                                                                                                                                                                        Function 00DBD8AF Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: AdjustPointer
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1740715915-0
                                                                                                                                                                                                                                                                        • Opcode ID: c79bf6d2f9a1eed4b46fdef0f0d15c09bcf10e8273394751e52720433a8ca3a7
                                                                                                                                                                                                                                                                        • Instruction ID: c8fc42468b5e8d3c67ec831657eae75e3c368fdfca81110c4c9f4668ace36595
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c79bf6d2f9a1eed4b46fdef0f0d15c09bcf10e8273394751e52720433a8ca3a7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3851AC72A05602EFDF299F15D841BEAB7A6EF45710F184429E8479B291FB31ED40CBB0
                                                                                                                                                                                                                                                                        Function 00DC3537 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE641: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00DBFDE8,?,00000000,-00000008), ref: 00DBE6A2
                                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00DC359B
                                                                                                                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 00DC35A2
                                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00DC35DC
                                                                                                                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 00DC35E3
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 1913693674-0
                                                                                                                                                                                                                                                                        • Opcode ID: 348de34f05c34419e829e3b82b2138e991856d6608398293155daa221600af20
                                                                                                                                                                                                                                                                        • Instruction ID: 9230aaa9dfb7468ece60f0271061948adda32a0514681d1b6fe48ad728d71bda
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 348de34f05c34419e829e3b82b2138e991856d6608398293155daa221600af20
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0521D771610606AFDB20AF699841E6AB7ACFF44364704C52DF86687641EB30EF008BB1
                                                                                                                                                                                                                                                                        Function 00DB8042 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                                        • Opcode ID: 1414b4045904472ab093ab6bbfb897d816675d06a29a17e2e5e6447da326b15d
                                                                                                                                                                                                                                                                        • Instruction ID: 796ea0688103129d41cd39462e6b050139d6ed96a75ee61add84f3cf9911f1ca
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1414b4045904472ab093ab6bbfb897d816675d06a29a17e2e5e6447da326b15d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 89219D31604205EFDB20AF68CC909EA77ADEF543A4B144529F86B97251EF31EC00EBB1
                                                                                                                                                                                                                                                                        Function 00DC484F Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 00DC4857
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE641: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00DBFDE8,?,00000000,-00000008), ref: 00DBE6A2
                                                                                                                                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DC488F
                                                                                                                                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DC48AF
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 158306478-0
                                                                                                                                                                                                                                                                        • Opcode ID: b14bdc7e4a782367876f2b70c8373d081c3bdac4e0682d3b19c99dc4e12a809c
                                                                                                                                                                                                                                                                        • Instruction ID: f8b568063745b0e38d5596d80c860c2fff1517aa807109d2e414c28ebf4ad488
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b14bdc7e4a782367876f2b70c8373d081c3bdac4e0682d3b19c99dc4e12a809c
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C1166F9903266BFA71527B59CAEDFF6F6CCE857943140528F802D3200FA64CE0082B1
                                                                                                                                                                                                                                                                        Function 00DB457B Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • __EH_prolog3.LIBCMT ref: 00DB4582
                                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00DB458C
                                                                                                                                                                                                                                                                          • Part of subcall function 00DB24C2: std::_Lockit::_Lockit.LIBCPMT ref: 00DB24DE
                                                                                                                                                                                                                                                                          • Part of subcall function 00DB24C2: std::_Lockit::~_Lockit.LIBCPMT ref: 00DB24F7
                                                                                                                                                                                                                                                                        • codecvt.LIBCPMT ref: 00DB45C6
                                                                                                                                                                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00DB45FD
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 3716348337-0
                                                                                                                                                                                                                                                                        • Opcode ID: f9fe2269f06c4e96975c0e8575540cbf53a118ebd9b461014d1f3da40a662a0f
                                                                                                                                                                                                                                                                        • Instruction ID: 1f4b87fb1a0038c5200950648ad86f55faaeff0721356a67c99fe8a21807d460
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9fe2269f06c4e96975c0e8575540cbf53a118ebd9b461014d1f3da40a662a0f
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A801A936900619DBCB04EBA4D826AFD77A1FF94320F24054AE413AB392CF70DE018BB1
                                                                                                                                                                                                                                                                        Function 00DCA4E0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00DC9B0F,00000000,00000001,00000000,?,?,00DC5A1F,?,00000000,00000000), ref: 00DCA4F7
                                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00DC9B0F,00000000,00000001,00000000,?,?,00DC5A1F,?,00000000,00000000,?,?,?,00DC5365,00000000), ref: 00DCA503
                                                                                                                                                                                                                                                                          • Part of subcall function 00DCA554: CloseHandle.KERNEL32(FFFFFFFE,00DCA513,?,00DC9B0F,00000000,00000001,00000000,?,?,00DC5A1F,?,00000000,00000000,?,?), ref: 00DCA564
                                                                                                                                                                                                                                                                        • ___initconout.LIBCMT ref: 00DCA513
                                                                                                                                                                                                                                                                          • Part of subcall function 00DCA535: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00DCA4D1,00DC9AFC,?,?,00DC5A1F,?,00000000,00000000,?), ref: 00DCA548
                                                                                                                                                                                                                                                                        • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00DC9B0F,00000000,00000001,00000000,?,?,00DC5A1F,?,00000000,00000000,?), ref: 00DCA528
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2744216297-0
                                                                                                                                                                                                                                                                        • Opcode ID: 44d86bc833f6928ea7e986eb3af4ce2d28f4f3dcc482f0e5139613e1127244b0
                                                                                                                                                                                                                                                                        • Instruction ID: cf6dedad4a5cd3adcfab529c0edfb490b5acd9c3e284efb1f3191f34e1f2210b
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44d86bc833f6928ea7e986eb3af4ce2d28f4f3dcc482f0e5139613e1127244b0
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 81F03736122319BFCF221F95EC04E9A3F26FF44364B044515F909C6230D631C9209BB2
                                                                                                                                                                                                                                                                        Function 00DB59A7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00DB59B9
                                                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00DB59C8
                                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00DB59D1
                                                                                                                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 00DB59DE
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                                        • API String ID: 2933794660-0
                                                                                                                                                                                                                                                                        • Opcode ID: 74f40213ef1d26cf39a0236d795e9feeb03aeab37d790e0e631b7524cf58cdd7
                                                                                                                                                                                                                                                                        • Instruction ID: 349a99a602cf619bc2026d93613ac4e6026d566fa9cb53f1a0bcbcbf2dd93328
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 74f40213ef1d26cf39a0236d795e9feeb03aeab37d790e0e631b7524cf58cdd7
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90F06274D1220DEBCB00DBB4D94999EFBF4FF1C204B915596A412E7210E770AB449F61
                                                                                                                                                                                                                                                                        Function 00DC2117 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: GetLastError.KERNEL32(00000000,?,00DC0AB9), ref: 00DBE787
                                                                                                                                                                                                                                                                          • Part of subcall function 00DBE783: SetLastError.KERNEL32(00000000,?,?,00000028,00DBB9D2), ref: 00DBE829
                                                                                                                                                                                                                                                                        • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00DB9266,?,?,?,00000055,?,-00000050,?,?,?), ref: 00DC21D6
                                                                                                                                                                                                                                                                        • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00DB9266,?,?,?,00000055,?,-00000050,?,?), ref: 00DC220D
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ErrorLast$CodePageValid
                                                                                                                                                                                                                                                                        • String ID: utf8
                                                                                                                                                                                                                                                                        • API String ID: 943130320-905460609
                                                                                                                                                                                                                                                                        • Opcode ID: 3013b64f7212d4c10110ecb44c6483212b4b72adeae2173b969a77adbe0c72d3
                                                                                                                                                                                                                                                                        • Instruction ID: 5077f7478f932c9b81ca8702e037d40fd5d9a849684ca163d63d98584d172475
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3013b64f7212d4c10110ecb44c6483212b4b72adeae2173b969a77adbe0c72d3
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2051E571A40357EADB25AB75CC82FB6B3A8EF45700F18042EFA45DB181FA74E940C6B5
                                                                                                                                                                                                                                                                        Function 00DBDFAC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00DBDEAD,?,?,00000000,00000000,00000000,?), ref: 00DBDFD1
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: EncodePointer
                                                                                                                                                                                                                                                                        • String ID: MOC$RCC
                                                                                                                                                                                                                                                                        • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                                        • Opcode ID: 6119cb03903e24ce6bbd163f87ba6a94e0661ae43c1a6e6185677199f135091d
                                                                                                                                                                                                                                                                        • Instruction ID: d9b4a9358b358f8a5f51b2143e81a2d51e249440897425ff47ac478882f3814d
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6119cb03903e24ce6bbd163f87ba6a94e0661ae43c1a6e6185677199f135091d
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FD416831900209EFCF26EF98DC81AEEBBB5FF48300F188059FA06A7255D3B59950DB61
                                                                                                                                                                                                                                                                        Function 00DBD818 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00DBDA8F
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ___except_validate_context_record
                                                                                                                                                                                                                                                                        • String ID: csm$csm
                                                                                                                                                                                                                                                                        • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                                                                        • Opcode ID: 7d7c782a2f1ae1a36aac978d86e2b1db7cdd8b50c8d324e865eca47e1176c4f1
                                                                                                                                                                                                                                                                        • Instruction ID: d38c5c3873791a4b7b293efe187dc435d37d0bdf34a37d97a0df87976c699793
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d7c782a2f1ae1a36aac978d86e2b1db7cdd8b50c8d324e865eca47e1176c4f1
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4431CF32500209EBCF269F54C8409EA7B77FF08365B2D416AF8564A221E333CCA1DBB5
                                                                                                                                                                                                                                                                        Function 00DB29D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                                        • AcquireSRWLockExclusive.KERNEL32(00DD648C,ios_base::badbit set,?,?,00DB1C84,00DD6478,00DB1B17), ref: 00DB29DF
                                                                                                                                                                                                                                                                        • ReleaseSRWLockExclusive.KERNEL32(00DD648C,?,?,00DB1C84,00DD6478,00DB1B17), ref: 00DB2A19
                                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2763958749.0000000000DB1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00DB0000, based on PE: true
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2763873546.0000000000DB0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764012563.0000000000DCC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764043735.0000000000DD5000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764114148.0000000000DD6000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764142311.0000000000DD8000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764235243.0000000000DDA000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        • Associated: 00000007.00000002.2764318279.0000000000DDD000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_db0000_a2236cc5aa.jbxd
                                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                                        • API ID: ExclusiveLock$AcquireRelease
                                                                                                                                                                                                                                                                        • String ID: ios_base::badbit set
                                                                                                                                                                                                                                                                        • API String ID: 17069307-3882152299
                                                                                                                                                                                                                                                                        • Opcode ID: f9abc8c8285188522abee05a63e74a949a0a1cf6ddff96f5e72f8bf37684a69a
                                                                                                                                                                                                                                                                        • Instruction ID: 4d454915616ec9a6521eab33db1e9a928617df9ca52d371a1279cf1f4255ac03
                                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9abc8c8285188522abee05a63e74a949a0a1cf6ddff96f5e72f8bf37684a69a
                                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3DF08236501200DBCB24AF18D844AB5BB68FB45735F14032FE89B833A0C7316842CE71